Bug #464: Incorrect handling of IKE_SA rekeying collision when one of the peers (client) does not detect collision - strongSwan

Bug #464

Incorrect handling of IKE_SA rekeying collision when one of the peers (client) does not detect collision

Added by John Johnson over 6 years ago. Updated about 4 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Tobias Brunner

Category:

charon

Target version:

5.5.0

Start date:

12.12.2013

Due date:

Estimated time:

Affected version:

5.1.0

Resolution:

Fixed

Description

Hello,
Looks like StrongSwan do not properly handle RFC 5996 (2.8.2).
The part where one of the peers do not detect collision (client in our case).
In that case StrongSwan closes all IKE SAs when got D INFORMATIONAL in rekey.

Associated revisions

Revision 95a5806a
Added by Tobias Brunner about 4 years ago

Merge branch 'exchange-collisions'

Improves the handling of IKEv2 exchange collisions in several corner
cases. TEMPORARY_FAILURE and CHILD_SA_NOT_FOUND notifies that were defined
with RFC 7296 are now handled and sent as appropriate.

The behavior in these situations is tested with new unit tests.

Fixes #379, #464, #876, #1293.

History

#1 Updated by John F over 6 years ago

I've seen that occurring several times.
In my opinion, it's strongSwan's worst bug. And it hasn't received the attention from developers it deserves.

#2 Updated by Tobias Brunner about 4 years ago

Tracker changed from Issue to Bug
Status changed from New to Assigned
Assignee set to Tobias Brunner
Priority changed from High to Normal
Target version set to 5.5.0

#3 Updated by Tobias Brunner about 4 years ago

Subject changed from IKE SA rekeying collision when one of the peers (client) does not detect collision to Incorrect handling of IKE_SA rekeying collision when one of the peers (client) does not detect collision
Status changed from Assigned to Closed
Resolution set to Fixed

Also available in: Atom PDF

Project

General

Profile

strongSwan

Issues

New issues