<div dir="ltr">Hi libreswan,<br><br>We're running version 3.29 on Ubuntu with Linux kernel 4.15 and we're seeing an issue with duplicate SAs. As I understand, it's normal behavior to have 2 of a 1x1 Phase 2 SA, for example. The newer one will replace the one expiring soon. But we're seeing many many more than that for some connections.<br><br>Here's the output from `ipsec auto --status`:<div><br></div><div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div>000 #476937: "someconnection/1x1":4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 10800s; newest ISAKMP; lastdpd=30s(seq in:5880 out:0); idle;<br>000 #493485: "someconnection/1x1":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_EXPIRE in 28s; isakmp#476937; idle;<br>000 #493485: "someconnection/1x1" esp.f1fe58dd@M.M.M.M esp.f399709c@N.N.N.N tun.0@M.M.M.M tun.0@N.N.N.N ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B<br>000 #493560: "someconnection/1x1":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_EXPIRE in 108s; isakmp#476937; idle;<br>000 #493560: "someconnection/1x1" esp.27c2bd16@M.M.M.M esp.ab211c5d@N.N.N.N tun.0@M.M.M.M tun.0@N.N.N.N ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B<br>000 #493653: "someconnection/1x1":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_EXPIRE in 188s; isakmp#476937; idle;<br>000 #493653: "someconnection/1x1" esp.5f057b15@M.M.M.M esp.9cda7919@N.N.N.N tun.0@M.M.M.M tun.0@N.N.N.N ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B<br>000 #493735: "someconnection/1x1":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_EXPIRE in 258s; isakmp#476937; idle;<br>000 #493735: "someconnection/1x1" esp.34bdbc9@M.M.M.M esp.a5be9699@N.N.N.N tun.0@M.M.M.M tun.0@N.N.N.N ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B<br>000 #493823: "someconnection/1x1":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_EXPIRE in 338s; isakmp#476937; idle;<br>000 #493823: "someconnection/1x1" esp.67112f99@M.M.M.M esp.b60f3f58@N.N.N.N tun.0@M.M.M.M tun.0@N.N.N.N ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B<br>000 #493898: "someconnection/1x1":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_EXPIRE in 418s; isakmp#476937; idle;<br>000 #493898: "someconnection/1x1" esp.f52d069@M.M.M.M esp.89ef4b84@N.N.N.N tun.0@M.M.M.M tun.0@N.N.N.N ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B<br>000 #493985: "someconnection/1x1":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_EXPIRE in 498s; isakmp#476937; idle;<br>000 #493985: "someconnection/1x1" esp.82c1eac3@M.M.M.M esp.d95669e9@N.N.N.N tun.0@M.M.M.M tun.0@N.N.N.N ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B<br>000 #494085: "someconnection/1x1":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_EXPIRE in 578s; isakmp#476937; idle;<br>000 #494085: "someconnection/1x1" esp.44878df8@M.M.M.M esp.58d0461c@N.N.N.N tun.0@M.M.M.M tun.0@N.N.N.N ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B<br>. . .<br>many more 1X1 lines here<br>. . .<br>000 #494203: "someconnection/2x2":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_EXPIRE in 689s; isakmp#476937; idle;<br>000 #494203: "someconnection/2x2" esp.434e62cd@M.M.M.M esp.77061dad@N.N.N.N tun.0@M.M.M.M tun.0@N.N.N.N ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B<br>000 #497436: "someconnection/2x2":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2376s; newest IPSEC; eroute owner; isakmp#476937; idle;<br>000 #497436: "someconnection/2x2" esp.3188ff95@M.M.M.M esp.3abbc026@N.N.N.N tun.0@M.M.M.M tun.0@N.N.N.N ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B<br>000 #495543: "someconnection/2x3":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 1247s; newest IPSEC; eroute owner; isakmp#476937; idle;<br>000 #495543: "someconnection/2x3" esp.ff13e8c2@M.M.M.M esp.abbd4dbe@N.N.N.N tun.0@M.M.M.M tun.0@N.N.N.N ref=0 refhim=0 Traffic: ESPin=1MB ESPout=265KB! ESPmax=4194303B<br>000 #494933: "someconnection/3x1":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 750s; newest IPSEC; eroute owner; isakmp#476937; idle;<br>000 #494933: "someconnection/3x1" esp.8645701d@M.M.M.M esp.5c927d91@N.N.N.N tun.0@M.M.M.M tun.0@N.N.N.N ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B<br>000 #496280: "someconnection/3x2":4500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 2229s; newest IPSEC; eroute owner; isakmp#476937; idle;<br>000 #496280: "someconnection/3x2" esp.79347e6a@M.M.M.M esp.1234c872@N.N.N.N tun.0@M.M.M.M tun.0@N.N.N.N ref=0 refhim=0 Traffic: ESPin=3KB ESPout=263KB! ESPmax=4194303B<br>000 #476661: "someconnection/3x3":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 9984s; newest ISAKMP; lastdpd=17746s(seq in:0 out:0); idle;<br>000 #494238: "someconnection/3x3":4500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 445s; newest IPSEC; eroute owner; isakmp#476937; idle;<br>000 #494238: "someconnection/3x3" esp.4079303a@M.M.M.M esp.f8851c94@N.N.N.N tun.0@M.M.M.M tun.0@N.N.N.N ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B</div></blockquote><br>And here's the config:</div><div><br></div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div>conn someconnection</div><div>    type=tunnel</div><div>    authby=secret</div><div>    left="N.N.N.N"</div><div>    leftid=A.A.A.A</div><div>    leftsubnets=" B.B.B.B/32 C.C.C.C/32 D.D.D.D/32 "</div><div>    right=M.M.M.M</div><div>    rightsubnets=" E.E.E.E/32 F.F.F.F/32 G.G.G.G/32 "</div><div>    auto=start</div><div>    ike=REDACTED</div><div>    phase2alg=REDACTED</div><div>    ikelifetime=28800</div><div>    salifetime=3600</div><div>    dpdaction=restart</div><div>    dpddelay=30</div><div>    dpdtimeout=120</div><div>    pfs=yes</div><div>    ikev2=no</div><div><br></div></blockquote>Bouncing the connection only helps for a while, then the SAs stack up again. Any ideas?<div><br></div><div>Thanks in advance for your help.<br><div><br><div><div>-- <br></div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr">Alan Szlosek<div>Infrastructure Engineer</div><div><a href="https://www.redoxengine.com" target="_blank">redoxengine.com</a></div></div></div></div></div></div></div></div></div></div>