Re: [strongSwan] [Strongswan] Strongswan is deleting IKE_SA without any notification error

Thu, 28 Jun 2012 01:59:36 -0700 

Hi Martin,
Thanks for your inputs.
 I am concerned about the below Error Messages. I m not trying to connect
multiple IKE peers with the same identify.

Why strongswan is trying to destroy IKE_SA (referred from below logs) after
tunnel has been formed?

Jun 28 13:00:52 uxcasxxx charon: 14[IKE] IKE_SA fqdn_vr[4] established
between 172.31.114.227[172.31.114.227]...172.31.114.211[[email protected]]
Jun 28 13:00:52 uxcasxxx charon: 14[IKE] CHILD_SA fqdn_vr{4}
Jun 28 13:00:52 uxcasxxx charon: 14[ENC] generating IKE_AUTH response 1 [
IDr AUTH SA TSi TSr ]
Jun 28 13:00:52 uxcasxxx charon: 14[NET] sending packet: from
172.31.114.227[500] to 172.31.114.211[500]
Jun 28 13:00:56 uxcasxxx charon: 13[IKE] retransmit 1 of request with
message ID 0
Jun 28 13:00:56 uxcasxxx charon: 13[NET] sending packet: from
172.31.114.227[500] to 172.31.114.211[500]
Jun 28 13:01:04 uxcasxxx charon: 07[IKE] retransmit 2 of request with
message ID 0
Jun 28 13:01:04 uxcasxxx charon: 07[NET] sending packet: from
172.31.114.227[500] to 172.31.114.211[500]
Jun 28 13:01:17 uxcasxxx charon: 08[IKE] retransmit 3 of request with
message ID 0
Jun 28 13:01:17 uxcasxxx charon: 08[NET] sending packet: from
172.31.114.227[500] to 172.31.114.211[500]
Jun 28 13:01:22 uxcasxxx charon: 10[IKE] destroying IKE_SA in state
DELETING without notification

Regards,
Saravanan N
On Thu, Jun 28, 2012 at 1:34 PM, Martin Willi <[email protected]> wrote:

>
> > After some time, Strongswan is deleting IKE_SA without sending any
> > notification
>
> Not "after some time", but after another (or the same?) peer connects
> with the same identity:
>
> > 14[IKE] deleting duplicate IKE_SA for peer '[email protected]' due to
> > uniqueness policy
>
> Have a look at the ipsec.conf "uniqueids" option to see how to handle
> multiple clients with the same identity. Maybe the same peer tries to
> reauthenticate, but that might be problematic if a uniqueness policy is
> in place.
>
> > 14[IKE] sending DELETE for IKE_SA fqdn_vr[3]
> > 14[ENC] generating INFORMATIONAL request 0 [ D ]
>
> And a notify is sent for the old SA, but the peer never responds to the
> delete exchange.
>
> Regards
> Martin
>
>

_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to