Hello everyone, I'm running strongSwan 5.6.1 on linux-4.14.x (slackware 14.2 64bit) with iproute 4.14.1
When I issue 'ip -x s p', I get this output: src 10.180.0.0/16 dst 10.81.110.10/32 uid 0 dir out action allow index 137 priority 375423 share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2018-01-19 17:43:50 use 2018-01-19 17:47:25 tmpl src 10.81.110.254 dst 10.81.110.10 proto esp spi 0x500e0603(1343096323) reqid 4(0x00000004) mode tunnel level required share any enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff src 10.81.110.10/32 dst 10.180.0.0/16 uid 0 dir fwd action allow index 154 priority 375423 share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2018-01-19 17:43:50 use - tmpl src 10.81.110.10 dst 10.81.110.254 proto esp spi 0x00000000(0) reqid 4(0x00000004) mode tunnel level required share any enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff src 10.81.110.10/32 dst 10.180.0.0/16 uid 0 dir in action allow index 144 priority 375423 share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2018-01-19 17:43:50 use 2018-01-19 17:43:50 tmpl src 10.81.110.10 dst 10.81.110.254 proto esp spi 0x00000000(0) reqid 4(0x00000004) mode tunnel level required share any enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff As you may see, the esp security parameter index is correctly reported for the first policy, but is 0x00000000 for the other two entries. The output from strongSwan 'ipsec statusall' instead show them correctly: INSTALLED, TUNNEL, reqid 4, ESP SPIs: c16fd9e3_i 500e0603_o 3DES_CBC/HMAC_MD5_96/MODP_1024, 11180 bytes_i (215 pkts, 245s ago), 596700 bytes_o (459 pkts, 29s ago) 10.180.0.0/16 === 10.81.110.10/32 Also the output from 'ip -s x s' is reporting correctly the esp spi value: src 10.81.110.254 dst 10.81.110.10 proto esp spi 0x500e0603(1343096323) reqid 4(0x00000004) mode tunnel replay-window 0 seq 0x00000000 flag af-unspec (0x00100000) auth-trunc hmac(md5) 0x5b029bb432e892780c4d28a2c4f4253d (128 bits) 96 enc cbc(des3_ede) 0x01cf85a8cc981a3abe5ae9173bd45abbeedfd8d80f176fe9 (192 bits) anti-replay context: seq 0x0, oseq 0x1cb, bitmap 0x00000000 lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 4147(sec), hard 4800(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 596700(bytes), 459(packets) add 2018-01-19 17:43:50 use 2018-01-19 17:43:50 stats: replay-window 0 replay 0 failed 0 src 10.81.110.10 dst 10.81.110.254 proto esp spi 0xc16fd9e3(3245332963) reqid 4(0x00000004) mode tunnel replay-window 32 seq 0x00000000 flag af-unspec (0x00100000) auth-trunc hmac(md5) 0x2354ae62bc484d3c3d9e13c9bae1fd66 (128 bits) 96 enc cbc(des3_ede) 0x15fcba9ac7f78e9126b2394db6e7619ebe4bc27ace4d1603 (192 bits) anti-replay context: seq 0xda, oseq 0x0, bitmap 0xffffffff lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 3968(sec), hard 4800(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 11180(bytes), 215(packets) add 2018-01-19 17:43:50 use 2018-01-19 17:43:50 stats: replay-window 0 replay 0 failed 0 Kindly, I would like to ask if this is the expected behaviour. Thanks in advance Marco Berizzi