Project

General

Profile

Bug #1236

Updated by Tobias Brunner almost 5 years ago

Hi,
strongswan.conf is as below:

<pre>

include @include strongswan.d/*.conf

charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
reuse_ikesa=no
}
</pre>
}@

I config two connections as below:
<pre>
conn
@conn rule1~v1
rekeymargin=500
rekeyfuzz=100%
keyexchange=ikev1
left=35.6.6.205
right=35.6.6.105
leftsubnet=35.6.6.207/32
rightsubnet=35.6.6.107/32
authby=secret
leftid=35.6.6.205
rightid=%any
ike=aes128-sha1-modp768!
esp=aes128-sha1!
type=tunnel
ikelifetime=5000s
keylife=5000s
mobike=no
auto=route
reauth=no

conn rule2~v1
rekeymargin=500
rekeyfuzz=100%
keyexchange=ikev1
left=35.6.6.205
right=35.6.6.105
leftsubnet=35.6.6.209/32
rightsubnet=35.6.6.109/32
authby=secret
leftid=35.6.6.205
rightid=%any
ike=aes128-sha1-modp768!
esp=aes128-sha1!
type=tunnel
ikelifetime=5000s
keylife=5000s
mobike=no
auto=route
reauth=no
</pre>
reauth=no@

These two connection established:
<pre>
Dec
@Dec 14 18:55:13 24F-VFPC-006 charon: 11[IKE] IKE_SA rule1~v1[1] established between 35.6.6.105[35.6.6.105]...35.6.6.205[35.6.6.205]
Dec 14 18:55:13 24F-VFPC-006 charon: 13[IKE] CHILD_SA rule1~v1{3} established with SPIs c56e6c6f_i c17ac527_o and TS 35.6.6.107/32 === 35.6.6.207/32
Dec 14 18:55:19 24F-VFPC-006 charon: 10[IKE] IKE_SA rule1~v1[2] established between 35.6.6.105[35.6.6.105]...35.6.6.205[35.6.6.205]
Dec 14 18:55:19 24F-VFPC-006 charon: 02[IKE] CHILD_SA rule2~v1{4} established with SPIs ceb39d2f_i c0020abc_o and TS 35.6.6.109/32 === 35.6.6.209/32
</pre> @

Then the peer trigger the child_sa rekey, but it can't find the CHILD_SA, this will leading to
<pre>
Dec
@Dec 14 18:56:13 24F-VFPC-006 charon: 14[IKE] received DELETE for ESP CHILD_SA with SPI c17ac527
Dec 14 18:56:13 24F-VFPC-006 charon: 14[IKE] CHILD_SA not found, ignored
</pre>
ignored@

I test it on 5.3.2 and 5.3.5, both of them has this issue.

Back