Issue #2958
Updated by Tobias Brunner over 6 years ago
Hi,
I'm using transport mode to encrypt traffic between a set of ports on a fleet of machines. Based on https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples#Host-To-Host-transport-mode
I have a config that works, but it seems to constantly generate new IKE_SAs every few seconds (log attached). I've not measured the overhead of this, but expect it to be a significant latency hit!
Any hints on how to improve this? Or can I safely ignore the problem?
thanks
James Masson
Config
<pre>
###
conn default
ike=aes128gcm16-prfsha256-ecp256!
esp=aes128gcm16-prfsha256-ecp256!
keyexchange=ikev2
keyingtries=%forever
mobike=no
conn transport-mode-out
also=default
rightsubnet=10.32.0.0/16[17/10000],10.32.0.0/16[17/10001],10.32.0.0/16[17/10002],10.32.0.0/16[17/10003],10.32.0.0/16[17/10004],10.32.0.0/16[17/10005],10.32.0.0/16[17/10006],10.32.0.0/16[17/10007]
type=transport
authby=psk
auto=route
conn transport-mode-in
also=default
leftsubnet=10.32.0.0/16[17/10000],10.32.0.0/16[17/10001],10.32.0.0/16[17/10002],10.32.0.0/16[17/10003],10.32.0.0/16[17/10004],10.32.0.0/16[17/10005],10.32.0.0/16[17/10006],10.32.0.0/16[17/10007]
type=transport
authby=psk
auto=route
</pre>
<pre> ###
root@ipsec:/# ipsec status
Routed Connections:
transport-mode-in{2}: ROUTED, TRANSPORT, reqid 2
transport-mode-in{2}: 10.32.0.0/16[17/10000] 10.32.0.0/16[17/10001] 10.32.0.0/16[17/10002] 10.32.0.0/16[17/10003] 10.32.0.0/16[17/10004] 10.32.0.0/16[17/10005] 10.32.0.0/16[17/10006] 10.32.0.0/16[17/10007] === 0.0.0.0/0
transport-mode-out{1}: ROUTED, TRANSPORT, reqid 1
transport-mode-out{1}: 0.0.0.0/0 === 10.32.0.0/16[17/10000] 10.32.0.0/16[17/10001] 10.32.0.0/16[17/10002] 10.32.0.0/16[17/10003] 10.32.0.0/16[17/10004] 10.32.0.0/16[17/10005] 10.32.0.0/16[17/10006] 10.32.0.0/16[17/10007]
Security Associations (6 up, 0 connecting):
transport-mode-out[110]: ESTABLISHED 0 seconds ago, 10.32.1.10[10.32.1.10]...10.32.3.10[10.32.3.10]
transport-mode-in{112}: INSTALLED, TRANSPORT, reqid 78, ESP SPIs: c57a8898_i cad278a4_o
transport-mode-in{112}: 10.32.1.10/32[17/10000] 10.32.1.10/32[17/10001] 10.32.1.10/32[17/10002] 10.32.1.10/32[17/10003] 10.32.1.10/32[17/10004] 10.32.1.10/32[17/10005] 10.32.1.10/32[17/10006] 10.32.1.10/32[17/10007] === 10.32.3.10/32
transport-mode-out[109]: ESTABLISHED 7 seconds ago, 10.32.1.10[10.32.1.10]...10.32.2.10[10.32.2.10]
transport-mode-in{111}: INSTALLED, TRANSPORT, reqid 2, ESP SPIs: c0841f21_i cf4181ce_o
transport-mode-in{111}: 10.32.1.10/32[17/10000] 10.32.1.10/32[17/10001] 10.32.1.10/32[17/10002] 10.32.1.10/32[17/10003] 10.32.1.10/32[17/10004] 10.32.1.10/32[17/10005] 10.32.1.10/32[17/10006] 10.32.1.10/32[17/10007] === 10.32.2.10/32
transport-mode-out[108]: ESTABLISHED 10 seconds ago, 10.32.1.10[10.32.1.10]...10.32.3.10[10.32.3.10]
transport-mode-out{110}: INSTALLED, TRANSPORT, reqid 77, ESP SPIs: cf88ceec_i c2957bf4_o
transport-mode-out{110}: 10.32.1.10/32 === 10.32.3.10/32[17/10000] 10.32.3.10/32[17/10001] 10.32.3.10/32[17/10002] 10.32.3.10/32[17/10003] 10.32.3.10/32[17/10004] 10.32.3.10/32[17/10005] 10.32.3.10/32[17/10006] 10.32.3.10/32[17/10007]
transport-mode-out[107]: ESTABLISHED 17 seconds ago, 10.32.1.10[10.32.1.10]...10.32.2.10[10.32.2.10]
transport-mode-out{109}: INSTALLED, TRANSPORT, reqid 1, ESP SPIs: ca06e25f_i c730c145_o
transport-mode-out{109}: 10.32.1.10/32 === 10.32.2.10/32[17/10000] 10.32.2.10/32[17/10001] 10.32.2.10/32[17/10002] 10.32.2.10/32[17/10003] 10.32.2.10/32[17/10004] 10.32.2.10/32[17/10005] 10.32.2.10/32[17/10006] 10.32.2.10/32[17/10007]
transport-mode-out[6]: ESTABLISHED 8 minutes ago, 10.32.1.10[10.32.1.10]...10.32.101.37[10.32.101.37]
transport-mode-in{8}: INSTALLED, TRANSPORT, reqid 6, ESP SPIs: c2a132ed_i c8de4a58_o
transport-mode-in{8}: 10.32.1.10/32[17/10000] 10.32.1.10/32[17/10001] 10.32.1.10/32[17/10002] 10.32.1.10/32[17/10003] 10.32.1.10/32[17/10004] 10.32.1.10/32[17/10005] 10.32.1.10/32[17/10006] 10.32.1.10/32[17/10007] === 10.32.101.37/32
transport-mode-out[1]: ESTABLISHED 8 minutes ago, 10.32.1.10[10.32.1.10]...10.32.1.124[10.32.1.124]
transport-mode-in{3}: INSTALLED, TRANSPORT, reqid 3, ESP SPIs: cc3dce99_i c006b429_o
transport-mode-in{3}: 10.32.1.10/32[17/10000] 10.32.1.10/32[17/10001] 10.32.1.10/32[17/10002] 10.32.1.10/32[17/10003] 10.32.1.10/32[17/10004] 10.32.1.10/32[17/10005] 10.32.1.10/32[17/10006] 10.32.1.10/32[17/10007] === 10.32.1.124/32
</pre>
I'm using transport mode to encrypt traffic between a set of ports on a fleet of machines. Based on https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples#Host-To-Host-transport-mode
I have a config that works, but it seems to constantly generate new IKE_SAs every few seconds (log attached). I've not measured the overhead of this, but expect it to be a significant latency hit!
Any hints on how to improve this? Or can I safely ignore the problem?
thanks
James Masson
Config
<pre>
###
conn default
ike=aes128gcm16-prfsha256-ecp256!
esp=aes128gcm16-prfsha256-ecp256!
keyexchange=ikev2
keyingtries=%forever
mobike=no
conn transport-mode-out
also=default
rightsubnet=10.32.0.0/16[17/10000],10.32.0.0/16[17/10001],10.32.0.0/16[17/10002],10.32.0.0/16[17/10003],10.32.0.0/16[17/10004],10.32.0.0/16[17/10005],10.32.0.0/16[17/10006],10.32.0.0/16[17/10007]
type=transport
authby=psk
auto=route
conn transport-mode-in
also=default
leftsubnet=10.32.0.0/16[17/10000],10.32.0.0/16[17/10001],10.32.0.0/16[17/10002],10.32.0.0/16[17/10003],10.32.0.0/16[17/10004],10.32.0.0/16[17/10005],10.32.0.0/16[17/10006],10.32.0.0/16[17/10007]
type=transport
authby=psk
auto=route
</pre>
<pre> ###
root@ipsec:/# ipsec status
Routed Connections:
transport-mode-in{2}: ROUTED, TRANSPORT, reqid 2
transport-mode-in{2}: 10.32.0.0/16[17/10000] 10.32.0.0/16[17/10001] 10.32.0.0/16[17/10002] 10.32.0.0/16[17/10003] 10.32.0.0/16[17/10004] 10.32.0.0/16[17/10005] 10.32.0.0/16[17/10006] 10.32.0.0/16[17/10007] === 0.0.0.0/0
transport-mode-out{1}: ROUTED, TRANSPORT, reqid 1
transport-mode-out{1}: 0.0.0.0/0 === 10.32.0.0/16[17/10000] 10.32.0.0/16[17/10001] 10.32.0.0/16[17/10002] 10.32.0.0/16[17/10003] 10.32.0.0/16[17/10004] 10.32.0.0/16[17/10005] 10.32.0.0/16[17/10006] 10.32.0.0/16[17/10007]
Security Associations (6 up, 0 connecting):
transport-mode-out[110]: ESTABLISHED 0 seconds ago, 10.32.1.10[10.32.1.10]...10.32.3.10[10.32.3.10]
transport-mode-in{112}: INSTALLED, TRANSPORT, reqid 78, ESP SPIs: c57a8898_i cad278a4_o
transport-mode-in{112}: 10.32.1.10/32[17/10000] 10.32.1.10/32[17/10001] 10.32.1.10/32[17/10002] 10.32.1.10/32[17/10003] 10.32.1.10/32[17/10004] 10.32.1.10/32[17/10005] 10.32.1.10/32[17/10006] 10.32.1.10/32[17/10007] === 10.32.3.10/32
transport-mode-out[109]: ESTABLISHED 7 seconds ago, 10.32.1.10[10.32.1.10]...10.32.2.10[10.32.2.10]
transport-mode-in{111}: INSTALLED, TRANSPORT, reqid 2, ESP SPIs: c0841f21_i cf4181ce_o
transport-mode-in{111}: 10.32.1.10/32[17/10000] 10.32.1.10/32[17/10001] 10.32.1.10/32[17/10002] 10.32.1.10/32[17/10003] 10.32.1.10/32[17/10004] 10.32.1.10/32[17/10005] 10.32.1.10/32[17/10006] 10.32.1.10/32[17/10007] === 10.32.2.10/32
transport-mode-out[108]: ESTABLISHED 10 seconds ago, 10.32.1.10[10.32.1.10]...10.32.3.10[10.32.3.10]
transport-mode-out{110}: INSTALLED, TRANSPORT, reqid 77, ESP SPIs: cf88ceec_i c2957bf4_o
transport-mode-out{110}: 10.32.1.10/32 === 10.32.3.10/32[17/10000] 10.32.3.10/32[17/10001] 10.32.3.10/32[17/10002] 10.32.3.10/32[17/10003] 10.32.3.10/32[17/10004] 10.32.3.10/32[17/10005] 10.32.3.10/32[17/10006] 10.32.3.10/32[17/10007]
transport-mode-out[107]: ESTABLISHED 17 seconds ago, 10.32.1.10[10.32.1.10]...10.32.2.10[10.32.2.10]
transport-mode-out{109}: INSTALLED, TRANSPORT, reqid 1, ESP SPIs: ca06e25f_i c730c145_o
transport-mode-out{109}: 10.32.1.10/32 === 10.32.2.10/32[17/10000] 10.32.2.10/32[17/10001] 10.32.2.10/32[17/10002] 10.32.2.10/32[17/10003] 10.32.2.10/32[17/10004] 10.32.2.10/32[17/10005] 10.32.2.10/32[17/10006] 10.32.2.10/32[17/10007]
transport-mode-out[6]: ESTABLISHED 8 minutes ago, 10.32.1.10[10.32.1.10]...10.32.101.37[10.32.101.37]
transport-mode-in{8}: INSTALLED, TRANSPORT, reqid 6, ESP SPIs: c2a132ed_i c8de4a58_o
transport-mode-in{8}: 10.32.1.10/32[17/10000] 10.32.1.10/32[17/10001] 10.32.1.10/32[17/10002] 10.32.1.10/32[17/10003] 10.32.1.10/32[17/10004] 10.32.1.10/32[17/10005] 10.32.1.10/32[17/10006] 10.32.1.10/32[17/10007] === 10.32.101.37/32
transport-mode-out[1]: ESTABLISHED 8 minutes ago, 10.32.1.10[10.32.1.10]...10.32.1.124[10.32.1.124]
transport-mode-in{3}: INSTALLED, TRANSPORT, reqid 3, ESP SPIs: cc3dce99_i c006b429_o
transport-mode-in{3}: 10.32.1.10/32[17/10000] 10.32.1.10/32[17/10001] 10.32.1.10/32[17/10002] 10.32.1.10/32[17/10003] 10.32.1.10/32[17/10004] 10.32.1.10/32[17/10005] 10.32.1.10/32[17/10006] 10.32.1.10/32[17/10007] === 10.32.1.124/32
</pre>