Hi,

There is ipsec configuration made between two linux machines.(version 2.6.21.7)
strongswan version is 4.3.1. configuration is done using ikev2.

There is a rule r1 making use of tunnel v1.
Also there is a rule r2 making use of tunnel v2.

Same set of certificates is used between two tunnels.

When the traffic hits the rule r1,ike negotiations start, child sa gets established. ESP packets start flowing.

But when the traffic is sent which hits the rule r2. Now Ike negotiations have to start from v2. But instead of that, charon says that ike_sa already exists and it tries make this new ike sa as the child sa of existing ike sa and fails eventually.

To overcome this problem, reuse_ikesa = no is added to strongswan.conf file. But with this configuration, when the traffic hits the rule r2, old ike_sa got deleted and new one got established.

But we want both the tunnels to be established at the same time, with the same set of certificates.
Any ideas ?

Regards,
Sriram.

This is due to the uniqueids option in ipsec.conf. The default value for this is 'yes' which means that only one IKE_SA with a specific set of identities is allowed. Since you have configured the same certificate for both SAs this will be the case here. By setting uniqueids=no you should be able to create two IKE_SAs with the same identities.

It actually tries to create a new CHILD_SA within the existing IKE_SA. What is the reason this fails eventually? Could you post excerpts of the logs (of both hosts) that show the failure?

Thank you very much for the response. with unique_ids=no in ipsec.conf and reuse_ikesa=no in strongswan.conf, we are able to comeover the problem.

Regards,
Sriram.