Hi Noel, The issue mentioned here is with duplicate SA. Sometimes when we try create 512 tunnels we are encountering this issue. 1 or 2 IKE tunnels are having duplicate child SA's. How to avoid this? Is there any fix available in the latest release?
Regards, Pavan On Wed, Feb 4, 2015 at 1:29 AM, Noel Kuntze <[email protected]> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Hello Sriram, > > Please try using "uniqueids=yes". > > Mit freundlichen Grüßen/Regards, > Noel Kuntze > > GPG Key ID: 0x63EC6658 > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > Am 02.02.2015 um 09:45 schrieb Sriram Raghunathan: > > > > Hi, > > > > Reference: Strongswan version 4.5.3. > > > > Currently, I'm debugging a problem with the above version of > > strongswan software installed on some of the hardwares and the > > security gateway. > > > > The problem is, I see > > "multiple tunnel's being established for a single ike sa". Somehow > > feel its a race condition in the strongswan code. The problem is > > seen when trying to establish close to 200 tunnels. Below is the > > config I'm trying with. Could you please help me out here? > > > > The problem seen here below: > > > > conn12[262]: ESTABLISHED 8 minutes ago, > 172.16.11.7[172.16.11.7]...172.16.11.61[172.16.11.61] > > conn12[262]: IKE SPIs: 61eebfcfbde117bf_i 6939a8f12fc12e91_r*, > rekeying in 95 minutes > > conn12[262]: IKE proposal: > 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 > > > ----------------------------------------------------------------------------------------------------- > > conn12{245}: INSTALLED, TUNNEL, ESP SPIs: cfdad3fe_i cfc7aea7_o > > conn12{245}: 3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, > rekeying in 38 minutes > > conn12{245}: 172.16.11.7/32 === 172.100.7.0/24 > > conn12{250}: INSTALLED, TUNNEL, ESP SPIs: ca3fc3e2_i c4be685b_o > > conn12{250}: 3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, > rekeying in 42 minutes > > conn12{250}: 172.16.11.7/32 === 172.100.7.0/24 > > > ----------------------------------------------------------------------------------------------------- > > > > config setup > > plutostart=no > > plutodebug=none > > nat_traversal=yes > > uniqueids=no > > charonstart=yes > > charondebug="dmn 1, mgr 1, ike 0, chd 1, job 0, cfg 0, knl 0, net 0, > enc -1, lib -1" > > > > conn %default > > pfs=no > > installpolicy=yes > > keyingtries=%forever > > mobike=no > > > > ------ truncated -------------- > > conn conn12 > > type=tunnel > > leftsubnet=172.16.11.7/32 > > rightsubnet=172.100.7.0/24 > > left=172.16.11.7 > > right=172.16.11.61 > > auto=start > > keyexchange=ikev2 > > authby=psk > > reauth=no > > ike=3des-sha1-modp1024! > > ikelifetime=7200 > > pfs=no > > esp=3des-sha1-noesn! > > keylife=3600 > > dpdaction=clear > > dpddelay=10 > > leftprotoport=0 > > rightprotoport=0 > > rekeyfuzz=100% > > rekeymargin=540s > > ------ truncated -------------- > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQIcBAEBCAAGBQJU0SiMAAoJEDg5KY9j7GZYpCYQAI9X/qrvKp9TMNa1Pw5CD47H > O86Y9Ya3Qqaz/ISAX8eG3V7OeMp828zYmAwww5L+KCo73hUqzznrpJNZBhOR1bu8 > IDg/Lew/Yi6c0wWHS3fFL8xUNHlzKDElycR6Yylhm5t/qBti1Foc3iAFm/ifKgKb > EzNSbKDCR2qKh1tMtr0Ae65RsaP+SiRf97uyDeqhy6CNF+EnkyLHOrUfYtB9ckw6 > /sYHB0jN/LaVhvdRksLHfqzNB3gNOH7BxQJvcL3+rYI9vUcrjJhhnHGyfXimaYXI > vkoNoq+qoHGY7+quBXuE6dv/w/Aq34OeOtovyQSXIqup3RJ/MPDBXjr+r8tY+02V > Vf127X6HaLMtRsfzlqWnoX/c+aK4iARg5BB0uAn1IT1dHEFokS2dKboynZ+Q5Orv > gyegfpf1mJKzBbV1GCJsS0yRgOD9U9qrE6drOmBKQOQi/3XqZEvOV4nyMsbei/3M > jqPIw8JCY5d/YKscHIofn61p1Zfkjc2/40c4JJZY5rnpSt662A5y1SBlcru3Dl8R > 7yWdPvmbxv3DeGqrUevDTivRaRpYDTVUprVxLsfrJ6s6vjcP7ukMgcwQb86d1KYl > LG/RKav21KuXp1gQZYbC8TsEnr2iWqhsuRPOtchlfEbOEErCY5YvMrNSMaNUN8Hc > tU9zw3hHeA3hPFzYBeqO > =35jM > -----END PGP SIGNATURE----- > > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
