cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
228
Views
0
Helpful
0
Replies
Beginner

FlexVPN: much IPSec SA on Tunnel

Dear colleagues,

I'm trying to connect Cisco IOS device (800/15.6M or CSR1kv/XE16.12) to Strongswan using FlexVPN model. It connects and I see traffic (e.g. pings between Cisco and remote side) but Cisco (both mentioned above versions of software) generates lot of ipsec SAs, while, in fact, router is idle (this is test lab without real traffic):

c800-vpn#show crypto ipsec sa count
IPsec SA total: 114, active: 6, rekeying: 0, unused: 108, invalid: 0

 All SAs have same configuration (except conn_id, flow_id):

interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 10.10.10.48

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.11.13.129/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer x.x.x.x port 4500
     PERMIT, flags={}
    #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
    #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #pkts no sa (send) 0, #pkts invalid sa (rcv) 0
    #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
    #pkts invalid prot (recv) 0, #pkts verify failed: 0
    #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
    #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
    ##pkts replay failed (rcv): 0
    #pkts tagged (send): 0, #pkts untagged (rcv): 0
    #pkts not tagged (send): 0, #pkts not untagged (rcv): 0
    #pkts internal err (send): 0, #pkts internal err (recv) 0

     local crypto endpt.: 10.10.10.48, remote crypto endpt.: x.x.x.x
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
     current outbound spi: 0xC6798510(3329852688)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x24671BCA(610737098)
        transform: esp-gcm 256 ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 12, flow_id: Onboard VPN:12, sibling_flags 80000040, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4608000/83)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
      spi: 0xDD217DEB(3709959659)
        transform: esp-gcm 256 ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 14, flow_id: Onboard VPN:14, sibling_flags 80000040, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4608000/144)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
[ ... other hundreds of SAs ... ]

Configuration of IOS device is the following:

crypto ikev2 proposal QLD-proposal
 encryption aes-gcm-256
 prf sha256
 group 14
!
crypto ikev2 policy QLD-policy
 match fvrf any
 proposal QLD-proposal
!
crypto ikev2 profile QLD-profile
 match identity remote fqdn vpn.domain.my
 identity local email cisco
 authentication local eap mschapv2 username cisco password q1w2e3
 authentication remote rsa-sig
 pki trustpoint lenc
!
crypto ipsec transform-set QLD-ng esp-gcm 256
 mode tunnel
!
crypto ipsec profile QLD-tun
 set transform-set QLD-ng
 set ikev2-profile QLD-profile
!
interface Tunnel0
 ip address negotiated
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel source FastEthernet4
 tunnel mode ipsec ipv4
 tunnel destination x.x.x.x
 tunnel protection ipsec profile QLD-tun
!
interface FastEthernet4
 ip address 10.10.10.48 255.255.255.0
 duplex auto
 speed auto

Remote side (Strongswan) reports that peer (IOS) asks for the next child SA while lifetime of all previos SAs (with same TS) is far from exceeding:

<ikev2-eap-mschapv2|1> received packet: from client.ip[4500] to server.ip[4500] (177 bytes)
<ikev2-eap-mschapv2|1> parsed CREATE_CHILD_SA request 84 [ SA No TSi TSr ]
<ikev2-eap-mschapv2|1> CHILD_SA carlo{70} state change: CREATED => INSTALLING
<ikev2-eap-mschapv2|1>   using AES_GCM_16 for encryption
<ikev2-eap-mschapv2|1> adding inbound ESP SA
<ikev2-eap-mschapv2|1>   SPI 0xd4391e2c, src client.ip dst server.ip
<ikev2-eap-mschapv2|1> adding outbound ESP SA
<ikev2-eap-mschapv2|1>   SPI 0xeeb97465, src server.ip dst client.ip
<ikev2-eap-mschapv2|1> CHILD_SA carlo{70} established with SPIs d4391e2c_i eeb97465_o and TS 0.0.0.0/0 === 10.11.13.129/32
<ikev2-eap-mschapv2|1> CHILD_SA carlo{70} state change: INSTALLING => INSTALLED
<ikev2-eap-mschapv2|1> generating CREATE_CHILD_SA response 84 [ SA No TSi TSr ]
<ikev2-eap-mschapv2|1> sending packet: from server.ip[4500] to client.ip[4500] (177 bytes)

So, the question is - why IOS behaves in this way and how to avoid this behaviour?

Thank you!

Everyone's tags (3)