Feature #463
per connection "uniqueids"
Description
Grüzi,
i'm running strongSwan with several net-net connections to some branches and also it's acting as a vpn concentrator for clients using ikev1/2 client.
For clients, authentication with radius behind, the option "uniqueids = yes" is bad because i want to allow several connections for each user simultaneously .
Then i have an IKEv2 net-net to a Sonicwall with 3 networks on _each_side. (9 SAs).
If i set "uniqueids" to "no" to archieve to multiple connections per user the sonnicwall connections drops packages after a couple of seconds with error messages like
unable to install policy 10.10.10.0/24 === 10.254.0.0/16 out (mark 0/0x00000000) for reqid 2, the same policy for reqid 1 exists
Setting "reqid=1337" at the sonicwall-connection builds 9 SAs with the same reqid. That's fine, but outgoing traffic is now sent with the wrong SPI which is not accepted by sonicwall.
Any workaround? Any reason why this option is not available on a per-connection base?
Kind Regards
Folke
Associated revisions
Merge branch 'reqid-alloc'
With these changes, charon dynamically allocates reqids for CHILD_SAs. This
allows the reuse of reqids for identical policies, and basically allows multiple
CHILD_SAs with the same selectors. As reqids do not uniquely define a CHILD_SA,
a new unique identifier for CHILD_SAs is introduced, and the kernel backends
use a proto/dst/SPI tuple to identify CHILD_SAs.
charon-tkm is not yet updated and expires are actually broken with this merge.
As some significant refactorings are required, this is fixed using a separate
merge.
History
#1 Updated by Folke Ashberg over 5 years ago
Update: i had the same issue like #431 and already set reauth=no and rekey=no .
So it's not the rekeying, it's the peer which connects to me
#2 Updated by Martin Willi about 5 years ago
- Tracker changed from Issue to Feature
- Status changed from New to Closed
- Assignee set to Martin Willi
- Target version set to 5.2.0
- Resolution set to Fixed
Any workaround? Any reason why this option is not available on a per-connection base?
It has historical reasons. Unlikely that we'll introduce a connection specific uniqueids option in ipsec.conf.
However, the new swanctl configuration backend in 5.2.0 will support per-connection unique policy using the unique keyword. Refer to the swanctl.conf(5) manpage if you want to give it a try.
Regards
Martin
#3 Updated by Martin Willi over 4 years ago
If i set "uniqueids" to "no" to archieve to multiple connections per user the sonnicwall connections drops packages after a couple of seconds with error messages like
unable to install policy 10.10.10.0/24 === 10.254.0.0/16 out (mark 0/0x00000000) for reqid 2, the same policy for reqid 1 exists
With the referenced merge of the reqid-alloc branch to master, strongSwan can now handle identical policies by reusing the same reqid. This allows identical CHILD_SAs: on on the outbound path the last SA is used. Not sure if this helps for your specific problem, but your feedback is welcome.
Regards
Martin
Merge branch 'reqid-alloc'
With these changes, charon dynamically allocates reqids for CHILD_SAs. This
allows the reuse of reqids for identical policies, and basically allows multiple
CHILD_SAs with the same selectors. As reqids do not uniquely define a CHILD_SA,
a new unique identifier for CHILD_SAs is introduced, and the kernel backends
use a proto/dst/SPI tuple to identify CHILD_SAs.
charon-tkm is not yet updated and expires are actually broken with this merge.
As some significant refactorings are required, this is fixed using a separate
merge.
References #422, #431, #463.