Dear colleagues,
I'm trying to connect Cisco IOS device (800/15.6M or CSR1kv/XE16.12) to Strongswan using FlexVPN model. It connects and I see traffic (e.g. pings between Cisco and remote side) but Cisco (both mentioned above versions of software) generates lot of ipsec SAs, while, in fact, router is idle (this is test lab without real traffic):
c800-vpn#show crypto ipsec sa count
IPsec SA total: 114, active: 6, rekeying: 0, unused: 108, invalid: 0
All SAs have same configuration (except conn_id, flow_id):
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 10.10.10.48
protected vrf: (none)
local ident (addr/mask/prot/port): (10.11.13.129/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer x.x.x.x port 4500
PERMIT, flags={}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 10.10.10.48, remote crypto endpt.: x.x.x.x
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0xC6798510(3329852688)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x24671BCA(610737098)
transform: esp-gcm 256 ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 12, flow_id: Onboard VPN:12, sibling_flags 80000040, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4608000/83)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0xDD217DEB(3709959659)
transform: esp-gcm 256 ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 14, flow_id: Onboard VPN:14, sibling_flags 80000040, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4608000/144)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
[ ... other hundreds of SAs ... ]
Configuration of IOS device is the following:
crypto ikev2 proposal QLD-proposal
encryption aes-gcm-256
prf sha256
group 14
!
crypto ikev2 policy QLD-policy
match fvrf any
proposal QLD-proposal
!
crypto ikev2 profile QLD-profile
match identity remote fqdn vpn.domain.my
identity local email cisco
authentication local eap mschapv2 username cisco password q1w2e3
authentication remote rsa-sig
pki trustpoint lenc
!
crypto ipsec transform-set QLD-ng esp-gcm 256
mode tunnel
!
crypto ipsec profile QLD-tun
set transform-set QLD-ng
set ikev2-profile QLD-profile
!
interface Tunnel0
ip address negotiated
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source FastEthernet4
tunnel mode ipsec ipv4
tunnel destination x.x.x.x
tunnel protection ipsec profile QLD-tun
!
interface FastEthernet4
ip address 10.10.10.48 255.255.255.0
duplex auto
speed auto
Remote side (Strongswan) reports that peer (IOS) asks for the next child SA while lifetime of all previos SAs (with same TS) is far from exceeding:
<ikev2-eap-mschapv2|1> received packet: from client.ip[4500] to server.ip[4500] (177 bytes)
<ikev2-eap-mschapv2|1> parsed CREATE_CHILD_SA request 84 [ SA No TSi TSr ]
<ikev2-eap-mschapv2|1> CHILD_SA carlo{70} state change: CREATED => INSTALLING
<ikev2-eap-mschapv2|1> using AES_GCM_16 for encryption
<ikev2-eap-mschapv2|1> adding inbound ESP SA
<ikev2-eap-mschapv2|1> SPI 0xd4391e2c, src client.ip dst server.ip
<ikev2-eap-mschapv2|1> adding outbound ESP SA
<ikev2-eap-mschapv2|1> SPI 0xeeb97465, src server.ip dst client.ip
<ikev2-eap-mschapv2|1> CHILD_SA carlo{70} established with SPIs d4391e2c_i eeb97465_o and TS 0.0.0.0/0 === 10.11.13.129/32
<ikev2-eap-mschapv2|1> CHILD_SA carlo{70} state change: INSTALLING => INSTALLED
<ikev2-eap-mschapv2|1> generating CREATE_CHILD_SA response 84 [ SA No TSi TSr ]
<ikev2-eap-mschapv2|1> sending packet: from server.ip[4500] to client.ip[4500] (177 bytes)
So, the question is - why IOS behaves in this way and how to avoid this behaviour?
Thank you!