Ubuntu
strongswan package

strongSwan keeps adding entries for the same connection

Bug #823549 reported by Kees van Reeuwijk on 2011-08-09

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	strongswan (Ubuntu)	Fix Released	Undecided	Unassigned

Bug Description

The attached configuration files create a symmetric connection between two hosts on my home network. Although the connection works (I can ping10.1.0.1 and 10.1.0.2 on both machines), there is something seriously wrong with the setup: it keeps adding entries for the same connection.

The attached output of 'ipsec statusall' shows this: there are duplicate Virtual IP pools, there are duplicate connections listed, and there are duplicate SAs listed. The number of duplicates keeps growing: the attached snapshots were made only a few seconds after the connection was established, but if I wait long enough there are thousands of duplicates.

Since I'm new to strongSwan, It is quite possible that I have made an error in the configuration, but as far as I can tell this configuration is not one I should expect to `explode' like this.

I am assuming that the files I provide here are sufficient to reproduce the configuration, if not the error, but I am of course happy to provide more information.

Revision history for this message

Kees van Reeuwijk (reeuwijk) wrote on 2011-08-09:

archie-ipsec.conf Edit (426 bytes, text/plain)

Revision history for this message

Kees van Reeuwijk (reeuwijk) wrote on 2011-08-09:

kokone-ipsec.conf Edit (440 bytes, text/plain)

Revision history for this message

Kees van Reeuwijk (reeuwijk) wrote on 2011-08-09:

archie.statusall Edit (5.6 KiB, text/plain)

Revision history for this message

Kees van Reeuwijk (reeuwijk) wrote on 2011-08-09:

kokone.statusall Edit (7.1 KiB, text/plain)

Revision history for this message

Kees van Reeuwijk (reeuwijk) wrote on 2011-08-09:

Oh, and the OS version: Both machines run Ubuntu:

Linux kokone 2.6.38-10-generic-pae #46-Ubuntu SMP Tue Jun 28 16:54:49 UTC 2011 i686 athlon i386 GNU/Linux

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 11.04
Release: 11.04
Codename: natty

Revision history for this message

Tobias Brunner (tobias-strongswan) wrote on 2011-08-10:

Hi Kees,

first, I can't really reproduce the "it keeps adding entries for the same connection" part. Not sure what that might be cause by. Could you post the full logs here?

Then about your configs. The left-/rightsourceip options are not really intended for what you are using them for. What's your idea here?

Also, it is not recommended to configure "auto=start" on both sides in 4.5.0. If you want the connection to be always up, then you should have a look at the keyingtries and dpd* options and configure them appropriately on one side, the other end then simply acts as responder. You can also configure "auto=route" so that the connection get's setup up on demand (that does not work with virtual IPs, though).

Regards,
Tobias

Revision history for this message

Tobias Brunner (tobias-strongswan) wrote on 2011-08-11:

Verify that executables are available and set (pluto|charon)start accordingly. Edit (2.2 KiB, text/plain)

Hi Kees,

the attached patch (also committed to master [1]) fixes the "keeps adding entries for the same connection" problem. This happens when only one of the daemons is installed (strongswan-ikev1 or strongswan-ikev2) but both are enabled in ipsec.conf. With the patch starter now verifies that the executables are available and, if not, resets the pluto- and charonstart options.

Regards,
Tobias

[1] http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=45048eae2