-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello Pavan,
As I mentioned in the last email to Siram, the kernel should actively reject installation of duplicate policies. It probably does that or replaces the old ones. I did not encounter this behaviour with any of the versions I used (5.x series). I advise trying a newer version like 5.2.1 or 5.2.2. Mit freundlichen Grüßen/Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 05.02.2015 um 06:53 schrieb Pavan Maganti: > Hi Noel, > > The issue mentioned here is with duplicate SA. Sometimes when we try create > 512 tunnels we are encountering this issue. 1 or 2 IKE tunnels are having > duplicate child SA's. How to avoid this? Is there any fix available in the > latest release? > > Regards, > Pavan > > On Wed, Feb 4, 2015 at 1:29 AM, Noel Kuntze <[email protected] > <mailto:[email protected]>> wrote: > > > Hello Sriram, > > Please try using "uniqueids=yes". > > Mit freundlichen Grüßen/Regards, > Noel Kuntze > > GPG Key ID: 0x63EC6658 > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > Am 02.02.2015 um 09:45 schrieb Sriram Raghunathan: > > > Hi, > > > Reference: Strongswan version 4.5.3. > > > Currently, I'm debugging a problem with the above version of > > strongswan software installed on some of the hardwares and the > > security gateway. > > > The problem is, I see > > "multiple tunnel's being established for a single ike sa". Somehow > > feel its a race condition in the strongswan code. The problem is > > seen when trying to establish close to 200 tunnels. Below is the > > config I'm trying with. Could you please help me out here? > > > The problem seen here below: > > > conn12[262]: ESTABLISHED 8 minutes ago, > > 172.16.11.7[172.16.11.7]...172.16.11.61[172.16.11.61] > > conn12[262]: IKE SPIs: 61eebfcfbde117bf_i 6939a8f12fc12e91_r*, > > rekeying in 95 minutes > > conn12[262]: IKE proposal: > > 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 > > ----------------------------------------------------------------------------------------------------- > > conn12{245}: INSTALLED, TUNNEL, ESP SPIs: cfdad3fe_i cfc7aea7_o > > conn12{245}: 3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying > > in 38 minutes > > conn12{245}: 172.16.11.7/32 <http://172.16.11.7/32> === > > 172.100.7.0/24 <http://172.100.7.0/24> > > conn12{250}: INSTALLED, TUNNEL, ESP SPIs: ca3fc3e2_i c4be685b_o > > conn12{250}: 3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying > > in 42 minutes > > conn12{250}: 172.16.11.7/32 <http://172.16.11.7/32> === > > 172.100.7.0/24 <http://172.100.7.0/24> > > ----------------------------------------------------------------------------------------------------- > > > config setup > > plutostart=no > > plutodebug=none > > nat_traversal=yes > > uniqueids=no > > charonstart=yes > > charondebug="dmn 1, mgr 1, ike 0, chd 1, job 0, cfg 0, knl 0, net 0, enc > > -1, lib -1" > > > conn %default > > pfs=no > > installpolicy=yes > > keyingtries=%forever > > mobike=no > > > ------ truncated -------------- > > conn conn12 > > type=tunnel > > leftsubnet=172.16.11.7/32 <http://172.16.11.7/32> > > rightsubnet=172.100.7.0/24 <http://172.100.7.0/24> > > left=172.16.11.7 > > right=172.16.11.61 > > auto=start > > keyexchange=ikev2 > > authby=psk > > reauth=no > > ike=3des-sha1-modp1024! > > ikelifetime=7200 > > pfs=no > > esp=3des-sha1-noesn! > > keylife=3600 > > dpdaction=clear > > dpddelay=10 > > leftprotoport=0 > > rightprotoport=0 > > rekeyfuzz=100% > > rekeymargin=540s > > ------ truncated -------------- > > > > > _______________________________________________ > Users mailing list > [email protected] <mailto:[email protected]> > https://lists.strongswan.org/mailman/listinfo/users > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJU069tAAoJEDg5KY9j7GZYwwoP/jLdVE+G9YIHwsizJWa5Ee9T KftkqAkjJ8aKEJdQfOQlV2QQcr3lB3hdjj+NIQ8qmcNCLit4W3rZVrdDqPTLPfZG fGyhvqGXhtPXb0iyvosJbEo+XXZceCcLcycZqxBivw8ESyP3DQ7vq8NJ4Sf3ScYj QM9kHuY/eDY786iFxVy+SJcTjkImdptKGaihrNJZP/h7lGzh+FN6U0kHw/WJDoPC g3exdoLBTvlCWq07G+XHtqETVbnTkECXzy/Vi56YSXBvbG8qqNH9PQi/8qZO27X5 IeiH5YFiKhjuE3gVHt+gX45Zb74PiG8fXpLItNoH19s4dV7hl4wn0TxM6GeGJOHN +PORLvD0pEDwnXCCcgf+ZIkc8Vqu+as9OQRCLCGBofBYXpDkJ4B1csOEy+uK4PmV g91osI0Sglt8YPJf0TRAmFORkgzGat9gahvYsgQGi646h60FeKDPIYdB9oJ338Ac T/bYS7e6KmyArbAXJURKn6Q0PVmTL7D6rPCzmyM7iXnMPD9P/CktQXE0fmyNjWkO pjcmdIVBjvOxGPZTxaYJczSjCeOYwErwzHvU0B2q8GxRvRs6cYQ55vFuHpQE5ks1 9nwtknO7wRsdDqc+EzDWr7ha6GCJAFdkT8+YEh4IY9j34BqsSc/yqZeDEiMCTfWD eEFjkMdebP+JS2ZTp1HW =Mdi2 -----END PGP SIGNATURE----- _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
