Project

General

Profile

Issue #240

Rekeying between StrongSwan 5.1rc1 and Windows 7 failes

Added by Christian Liebscher about 8 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Category:
libcharon
Affected version:
5.0.0
Resolution:
Invalid

Description

Hi,

I did setup a roadwarrior connection between StrongSwan 5.1rc1 and Windows 7. The connection is beeing established correctly, but my syslog on the server is full of these messages:

Sep 28 20:04:01 xxx charon: 16[IKE] establishing CHILD_SA rw{24}
Sep 28 20:04:01 xxx charon: 16[ENC] generating CREATE_CHILD_SA request 90 [ N(REKEY_SA) SA No KE TSi TSr ]
Sep 28 20:04:01 xxx charon: 16[NET] sending packet: from SERVERIP[4500] to CLIENTIP[4500]
Sep 28 20:04:01 xxx charon: 13[NET] received packet: from CLIENTIP[4500] to SERVERIP[4500]
Sep 28 20:04:01 xxx charon: 13[ENC] parsed CREATE_CHILD_SA response 90 [ N(MS_STATUS(13816)) ]
Sep 28 20:04:01 xxx charon: 13[IKE] received MS_NOTIFY_STATUS notify error
Sep 28 20:04:01 xxx charon: 13[IKE] CHILD_SA rekeying failed, trying again in 17 seconds

So rekeying obviously failes all the time and the connection is being interrupted after a lot of failed attemps. Windows seems to reconnect automatically after that. Because I don't do time critical things over this connection, it works for me. Never the less I'm still wondering what might be the Problem here.

My ipsec.conf:

conn rw
        left=%any
        leftcert=myCert.pem
        leftid=DNS:MYSERVERS_DNS_ADDRESS
        leftsubnet=0.0.0.0/0
        leftfirewall=yes
        lefthostaccess=yes
        right=%any
        auto=add
        keyexchange=ikev2
        mobike=yes
        rightsourceip=192.168.xxx.0/24

Please let me know if you need more information on this, or what I can do to fix this. Thanks in advance (again).

History

#1 Updated by Christian Liebscher about 8 years ago

Obviously I mean 5.0.1rc1

#2 Updated by Tobias Brunner about 8 years ago

  • Status changed from New to Closed
  • Resolution set to Invalid

Please have a look at the section about CHILD_SA-rekeying on our Windows 7 wiki page.

According to your logs it's the gateway who initiates the CHILD_SA rekeying, so this behavior is probably to be expected. Even though the returned error (13816=ERROR_IPSEC_IKE_ERROR) is different than what the wiki page says, I'd try to follow the instructions there to resolve this issue.

Please reopen the ticket if you think it's something else.

#3 Updated by Andreas Steffen over 7 years ago

  • Tracker changed from Bug to Issue
  • Assignee set to Tobias Brunner

Also available in: Atom PDF