Hi Anand, > conn toevm2-psk > ... > auto=route
The problem is the combination of auto=route and reauth=yes (which is the default). With reauth=yes the IKE_SA is not rekeyed but reauthenticated. This means that the IKE_SA is first deleted and then reestablished. During this (albeit short) downtime there is no IPsec SA installed in the Linux kernel. That is, the policy that is installed with auto=route has now no IPsec SA associated with it, so any matching traffic will trigger another acquire from the kernel. This makes charon queue a CREATE_CHILD_SA exchange which it handles after the IKE_SA is reestablished - together with all previously established CHILD_SAs. So you eventually end up with an additional CHILD_SA for each acquire that fires during a reauthentication phase. To fix this simply set reauth=no which causes charon to do a regular rekey of the IKE_SA without deleting it and the installed IPsec SAs first. Regards, Tobias _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
