Bug #379

New IKE_SA is unusable (e.g. for DPD or CHILD_SA rekeying) if delete of old IKE_SA is delayed after a rekeying

Added by muni krishna almost 9 years ago. Updated almost 6 years ago.

Target version:
Start date:
Due date:
Estimated time:
Affected version:


I am facing an issue while rekeying on strongswan server.
Please help me to solve this issue.


Client(otherthan strongswan) initiates IKE_SA rekey to Server(strongswan).
Server received CREATE_CHILD_SA rekey request from client and sent CREATE_CHILD_SA rekey response to client.
After this, the state of new IKE SA is CONNECTING at Server(strongswan)and once received delete for old SA from client,
then the state of new IKE SA is changing to ESTABLISHED.
But Client is sending delete to the server after around some 30seconds after receiving CREATE_CHILD_SA response from Server.
Before sending Delete, client is sending CREATE_CHILD_SA for IPSec rekey with new IKE SA.
But server is not able to respond to that because new IKE SA at server side is still connecting state not established state.
After changing the state from connecting to Established(after Delete received), server is able to respond.

Also in this case, DPD from Server is going to DPD retransmission fails and IKE_SA got deleted.

Note:At client, rekey times are 50s for IPSec rekey and 100s for IKE rekey.

Could you please help me about this.
Thanks in advance.
Waiting for your reply.


Associated revisions

Revision 95a5806a
Added by Tobias Brunner about 6 years ago

Merge branch 'exchange-collisions'

Improves the handling of IKEv2 exchange collisions in several corner
cases. TEMPORARY_FAILURE and CHILD_SA_NOT_FOUND notifies that were defined
with RFC 7296 are now handled and sent as appropriate.

The behavior in these situations is tested with new unit tests.

Fixes #379, #464, #876, #1293.


#1 Updated by Tobias Brunner about 6 years ago

  • Tracker changed from Issue to Bug
  • Description updated (diff)
  • Status changed from New to Assigned
  • Assignee changed from Andreas Steffen to Tobias Brunner
  • Priority changed from High to Normal
  • Target version set to 5.5.0

#2 Updated by Tobias Brunner almost 6 years ago

  • Subject changed from IKE SA rekey to New IKE_SA is unusable (e.g. for DPD or CHILD_SA rekeying) if delete of old IKE_SA is delayed after a rekeying
  • Status changed from Assigned to Closed
  • Resolution set to Fixed

Also available in: Atom PDF