Hi,
I established two IPSEC tunnels terminating at one hub. Configuration :
1st tunnel : right subnet as 192.168.4.0/24 2nd tunnel: right subnet as 192.168.0.0/16Both the tunnels have same gateway as 172.16.28.108
I am using freeswan code.
Now what I am observing is that, if I disable the 192.168.4.0/24 tunnel, and send ping request to 192.168.4.1, the ICMP IPSEC SA is negotiated for 2nd tunnel (supernet one which is already correctly established.). Why this is happening.
Further, on continuous pinging (to machine on network 192.168.4.0/24), a new IPSEC SA (for tunnel 192.168.0.0/26) is negotiated on every request.
On debugging I found that when I disable a perticular tunnel, the path corresponding to it is marked as trapped. Now klips capture the outbound packets on the trapped path and tries to send it through another closest matched active path. Thus in this scenrio, klips is capturing the outbound packets destined for 192.168.4.0/24 subnet and is trying to transfer it through 192.168.0.0/16. Is my inference correct.
If this is the default behavior, then why IPSEC SA is being renegotiated for every outbound ICMP packet. (IPSEC SA should be established once and then used for every evey ping request)
Please if you have any hint or refernce then please do share it .
Thanking You Anshul Makkar