Bug #379
Updated by Tobias Brunner over 9 years ago
Hi,
I am facing an issue while rekeying on strongswan server.
Please help me to solve this issue.
Description:
============
Client(otherthan strongswan) initiates IKE_SA rekey to Server(strongswan).
Server received CREATE_CHILD_SA CHILD_SA rekey request from client and sent CREATE_CHILD_SA CHILD_SA rekey response to client.
After this, the state of new IKE SA is CONNECTING connecting at Server(strongswan)and once received delete for old SA from client,
then the state of new IKE SA is changing to ESTABLISHED. Established.
But Client is sending delete to the server after around some 30seconds after receiving CREATE_CHILD_SA CHILD_SA response from Server.
Before sending Delete, client is sending CREATE_CHILD_SA CHILD_SA for IPSec rekey with new IKE SA.
But server is not able to respond to that because new IKE SA at server side is still connecting state not established state.
After changing the state from connecting to Established(after Delete received), server is able to respond.
Also in this case, DPD from Server is going to 0.0.0.0[0].So DPD retransmission fails and IKE_SA got deleted.
Note:At client, rekey times are 50s for IPSec rekey and 100s for IKE rekey.
Could you please help me about this.
Thanks in advance.
Waiting for your reply.
Regards,
JM.Krishna
I am facing an issue while rekeying on strongswan server.
Please help me to solve this issue.
Description:
============
Client(otherthan strongswan) initiates IKE_SA rekey to Server(strongswan).
Server received CREATE_CHILD_SA CHILD_SA rekey request from client and sent CREATE_CHILD_SA CHILD_SA rekey response to client.
After this, the state of new IKE SA is CONNECTING connecting at Server(strongswan)and once received delete for old SA from client,
then the state of new IKE SA is changing to ESTABLISHED. Established.
But Client is sending delete to the server after around some 30seconds after receiving CREATE_CHILD_SA CHILD_SA response from Server.
Before sending Delete, client is sending CREATE_CHILD_SA CHILD_SA for IPSec rekey with new IKE SA.
But server is not able to respond to that because new IKE SA at server side is still connecting state not established state.
After changing the state from connecting to Established(after Delete received), server is able to respond.
Also in this case, DPD from Server is going to 0.0.0.0[0].So DPD retransmission fails and IKE_SA got deleted.
Note:At client, rekey times are 50s for IPSec rekey and 100s for IKE rekey.
Could you please help me about this.
Thanks in advance.
Waiting for your reply.
Regards,
JM.Krishna