[strongSwan] IKE_SA rekey happening without CREATE_CHILD_SA packet?

m.divya.mohan m.divya.mohan at zoho.com
Wed Apr 30 11:01:58 CEST 2014 

Hi, I have a tunnel established as Node A (20.0.0.1) ==== Node B (20.0.0.2).
Both nodes are using charon (strongSwan 4.3.6).
  
 And both sides  have:
      ikelifetime=90s
      keylife=60s
      auto=route
      reauth=no
  
 I am referring to the attached rekey2.pcap file.
  
 After IKE_SA_INIT (packet #7 in pcap), the initiator and responder cookies are f7e6e3504c15b11c and 3b1c20ab77ac3448.
 Subsequent packets uses these cookies, till an IKE_SA rekey happens at packet #53, in CREATE_CHILD_SA.
 Here the cookies change to new values 274f3d2d81b340ac and 9c67f5a2a64d6e73.
 Till this everything is fine.
  
 The strange thing I am observing is that, at packet #85, the cookies change to e3b281e7beed87d3 and fb34f7cc3f54a1bc.
 But this is happening in an INFORMATIONAL packet. Subsequent packets are using these cookies till next IKE_SA rekey happens in a CREATE_CHILD_SA packet (# 109).
  
 My understanding is that the cookie values should change only when IKE_SA rekey happens, in a CREATE_CHILD_SA packet. 

How could IKE_SA rekey happen and cookies change in an INFORMATIONAL packet (a DPD packet)?
  
 I find it highly unlikely that, for some reason, the CREATE_CHILD_SA packets were not captured by tcpdump.
 Is there any other possible explanation for this?
  
  
 I am using wireshark version 1.2.8.
 Keys for decryption in wireshark are given below:
  
 ------------------------------------------
 Encryption algorithm: AES-CBC-128[RFC3602]
 Integrity algorithm: HMAC_SHA1_96[RFC2404]
  
 Initiator: f7e6e3504c15b11c
 Responder: 3b1c20ab77ac3448
 Sk_ei EFFA708EF94BFCFE301F5761AA7E8405
 sk_er 7E260CEA422ACE305B4891CFFCF512AD
 sk_ai F1DD8A2AFEAE9477F200396CF0DF1AF360FF7FF9
 sk_ar 47C318A5EFC3B7F02CBE971D5619C546A1A8D1CC
  
 Initiator: 274f3d2d81b340ac
 Responder: 9c67f5a2a64d6e73
 sk_ei 3A23F47F51AEAA274497EAFABCAD17C0
 sk_er 51FDE3E677F6637ECE0A9FA6FA32C1CF
 sk_ai 0CDBDE2821BBD039CAB600CC8170D194DEFD86F5
 sk_ar 05E3A3CC42D225FC0FD6E2101DDDE882C01BBEDB
  
 Initiator: e3b281e7beed87d3
 Responder: fb34f7cc3f54a1bc
 sk_ei A82CF5E597071D33ACB0876017518634
 sk_er 1EDD35536A135FD51B598B1BC8C1F98F
 sk_ai C968F3A4F361182C59BBB24BF436C1DEB84247C9
 sk_ar 40DF3770DA9572CA2F339B0BA564CAE79A8AB2A1
 ------------------------------------------
  
 - Divya
   
 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140430/50350b59/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rekey2.pcap
Type: application/octet-stream
Size: 99342 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140430/50350b59/attachment-0001.obj>

More information about the Users mailing list