New IKE_SA is unusable (e.g. for DPD or CHILD_SA rekeying) if delete of old IKE_SA is delayed after a rekeying
I am facing an issue while rekeying on strongswan server.
Please help me to solve this issue.
Client(otherthan strongswan) initiates IKE_SA rekey to Server(strongswan).
Server received CREATE_CHILD_SA rekey request from client and sent CREATE_CHILD_SA rekey response to client.
After this, the state of new IKE SA is CONNECTING at Server(strongswan)and once received delete for old SA from client,
then the state of new IKE SA is changing to ESTABLISHED.
But Client is sending delete to the server after around some 30seconds after receiving CREATE_CHILD_SA response from Server.
Before sending Delete, client is sending CREATE_CHILD_SA for IPSec rekey with new IKE SA.
But server is not able to respond to that because new IKE SA at server side is still connecting state not established state.
After changing the state from connecting to Established(after Delete received), server is able to respond.
Also in this case, DPD from Server is going to 0.0.0.00.So DPD retransmission fails and IKE_SA got deleted.
Note:At client, rekey times are 50s for IPSec rekey and 100s for IKE rekey.
Could you please help me about this.
Thanks in advance.
Waiting for your reply.
Merge branch 'exchange-collisions'
Improves the handling of IKEv2 exchange collisions in several corner
cases. TEMPORARY_FAILURE and CHILD_SA_NOT_FOUND notifies that were defined
with RFC 7296 are now handled and sent as appropriate.
The behavior in these situations is tested with new unit tests.