[Openswan Users] Relation between ISAKMP and IPsec SA

Mon Oct 3 07:03:15 EDT 2011

Hello,

I'm trying to understand the relation between the ISAKMP SA state and the IPsec SA state, if there's one.

At the beginning I get this output from "ipsec auto --status" (I've removed some lines in order to make it more readable):

000 "NET-TO-NET1": 10.1.0.0/24===1.1.1.1<1.1.1.1>[+S=C]...2.2.2.2<2.2.2.2>[+S=C]===10.2.0.0/24; erouted; eroute owner: #10
000 "NET-TO-NET1":   newest ISAKMP SA: #0; newest IPsec SA: #10;
000 "NET-TO-NET2": 10.1.0.0/24===1.1.1.1<1.1.1.1>[+S=C]...2.2.2.2<2.2.2.2.>[+S=C]===10.2.1.0/24; erouted; eroute owner: #11
000 "NET-TO-NET2":   newest ISAKMP SA: #5; newest IPsec SA: #11;

000 #10: "NET-TO-NET1":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 14109s; newest IPSEC; eroute owner; isakmp#5; idle; import:admin initiate
000 #11: "NET-TO-NET2":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 12520s; newest IPSEC; eroute owner; isakmp#5; idle; import:admin initiate
000 #5: "NET-TO-NET2":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 39348s; newest ISAKMP; lastdpd=14s(seq in:3332 out:0); idle; import:admin initiate

After some rekeys I get this output:

000 "NET-TO-NET1": 10.1.0.0/24===1.1.1.1<1.1.1.1>[+S=C]...2.2.2.2<2.2.2.2>[+S=C]===10.2.0.0/24; erouted; eroute owner: #42208
000 "NET-TO-NET1":   newest ISAKMP SA: #0; newest IPsec SA: #42208;
000 "NET-TO-NET2": 10.1.0.0/24===1.1.1.1<1.1.1.1>[+S=C]...2.2.2.2<2.2.2.2.>[+S=C]===10.2.1.0/24; erouted; eroute owner: #42357
000 "NET-TO-NET2":   newest ISAKMP SA: #42366; newest IPsec SA: #42357;

000 #42208: "NET-TO-NET1":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 770s; newest IPSEC; eroute owner; isakmp#42038; idle; import:admin initiate
000 #42357: "NET-TO-NET2":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 10703s; newest IPSEC; eroute owner; isakmp#42038; idle; import:admin initiate
000 #42366: "NET-TO-NET2":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 40894s; newest ISAKMP; lastdpd=14s(seq in:17199 out:0); idle; import:admin initiate

Now there are two IPsec SA with "isakmp#42038" but there isn't any ISAKMP SA #42038 running since it's expired and deleted. 
Is this ok? The tunnels are working fine but it seems strange to me that there's a reference to a deleted state.
Of course when the IPsec SA rekey is triggered the newest ISAKMP SA state is referenced.

Best regards,

G.C.

 Any use, distribution, copying or disclosure by any other person than the intended recipient of this electronic mail transmission is prohibited as a criminal offence.
 Pursuant to Legislative Decree n. 196/2003, you are hereby informed that this message and its attachments contain confidential information intended only for the use of the addressee. If you receive this transmission in error, please inform the sender immediately and delete the material. Thank You.

 The information contained in the e-mail can't be considered authorized by Reitek SpA in front of the addressee or third parties. Reitek SpA has no responsibility in case of dissemination, duplication or damage of this communication.