Hi,

I established two IPSEC tunnels terminating at one hub.
Configuration :
1st tunnel : right subnet as 192.168.4.0/24
2nd tunnel: right subnet as 192.168.0.0/16

Both the tunnels have same gateway as 172.16.28.108

I am using freeswan code.

Now what I am observing is that, if I disable the 192.168.4.0/24
tunnel, and send ping request to 192.168.4.1, the ICMP IPSEC SA is
negotiated for 2nd tunnel (supernet one which is already correctly
established.). Why this is happening.

Further, on continuous pinging (to machine on network 192.168.4.0/24),
a new IPSEC SA (for tunnel 192.168.0.0/26) is negotiated on every
request.

On debugging I found that when I disable a perticular tunnel, the path
corresponding to it is marked as trapped. Now klips capture the
outbound packets on the trapped path and tries to send it through
another closest matched active path. Thus in this scenrio, klips is
capturing the outbound packets destined for 192.168.4.0/24 subnet and
is trying to transfer it through 192.168.0.0/16. Is my inference
correct.

If this is the default behavior, then why IPSEC SA is being
renegotiated for every outbound ICMP packet. (IPSEC SA should be
established once and then used for every evey ping request)

Please if you have any hint or refernce then please do share it .

Thanking You
Anshul Makkar