<font size=2 face="sans-serif">I was able to make it such that the old
child_sa is cleaned up right away and after that the IKE_SA init from the
test system worked. i no longer got the No_proposal_chosen reply.</font>
<br>
<br><font size=2 face="sans-serif">regards, </font>
<br><font size=2 face="sans-serif"><br>
</font>
<br><font size=1 color=#800080 face="sans-serif">----- Forwarded by Dennis
Frett/Rochester/IBM on 06/23/2011 11:57 PM -----</font>
<br>
<br><font size=1 color=#5f5f5f face="sans-serif">From:
</font><font size=1 face="sans-serif">Dennis Frett/Rochester/IBM</font>
<br><font size=1 color=#5f5f5f face="sans-serif">To:
</font><font size=1 face="sans-serif">users@lists.strongswan.org</font>
<br><font size=1 color=#5f5f5f face="sans-serif">Date:
</font><font size=1 face="sans-serif">06/23/2011 10:23 AM</font>
<br><font size=1 color=#5f5f5f face="sans-serif">Subject:
</font><font size=1 face="sans-serif">strongswan IKEv2
ikesa rekey</font>
<br>
<hr noshade>
<br>
<br><font size=2 face="sans-serif">I'm trying to debug a situation with
rekeying of IKE_SA from a test system to Strongswan. </font>
<br><font size=2 face="sans-serif">The original IKE_SA is authenticated
from the test system to Strongswan.</font>
<br><font size=2 face="sans-serif">Subsequent rekeying of Child_sa's happen
in between.</font>
<br><font size=2 face="sans-serif">Strongswan receives a create_child_sa
for a new IKE_SA but according to the message below, it rejects the request
because it says there's a half open child_sa.</font>
<br><font size=2 face="sans-serif">that seems to be a misleading message.
all of the create child_sa requests have completed. There
are currently two open child_sa's for the IKE_SA as after the last child_sa
rekey, the test system did not promptly remove the old child_sa.</font>
<br><font size=2 face="sans-serif">is that what the message is referring
to on the IKE_SA rekey request or is it something else?</font>
<br>
<br>
<br>
<br>
<br><font size=2 face="Courier New">Jun 22 18:41:06 blackthumb charon:
13[NET] received packet: from 9.5.40.33[500] to 9.5.149.53[500]</font>
<br><font size=2 face="Courier New">Jun 22 18:41:06 blackthumb charon:
13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
]</font>
<br><font size=2 face="Courier New">Jun 22 18:41:06 blackthumb charon:
13[IKE] 9.5.40.33 is initiating an IKE_SA</font>
<br><font size=2 face="Courier New">Jun 22 18:41:06 blackthumb charon:
13[IKE] sending cert request for "C=US, O=IBM, CN=BlackthumbCA"</font>
<br><font size=2 face="Courier New">Jun 22 18:41:06 blackthumb charon:
13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
CERTREQ N(MULT_AUTH) ]</font>
<br><font size=2 face="Courier New">Jun 22 18:41:06 blackthumb charon:
13[NET] sending packet: from 9.5.149.53[500] to 9.5.40.33[500]</font>
<br><font size=2 face="Courier New">Jun 22 18:41:08 blackthumb charon:
11[NET] received packet: from 9.5.40.33[500] to 9.5.149.53[500]</font>
<br><font size=2 face="Courier New">Jun 22 18:41:08 blackthumb charon:
11[ENC] parsed IKE_AUTH request 1 [ IDi IDr AUTH N(INIT_CONTACT) SA TSi
TSr ]</font>
<br><font size=2 face="Courier New">Jun 22 18:41:08 blackthumb charon:
11[CFG] looking for peer configs matching 9.5.149.53[9.5.149.53]...9.5.40.33[9.5.40.33]</font>
<br><font size=2 face="Courier New">Jun 22 18:41:08 blackthumb charon:
11[CFG] selected peer config 'strongswan-system'</font>
<br><font size=2 face="Courier New">Jun 22 18:41:08 blackthumb charon:
11[IKE] authentication of '9.5.40.33' with pre-shared key successful</font>
<br><font size=2 face="Courier New">Jun 22 18:41:08 blackthumb charon:
11[IKE] authentication of '9.5.149.53' (myself) with pre-shared key</font>
<br><font size=2 face="Courier New">Jun 22 18:41:08 blackthumb charon:
11[IKE] IKE_SA strongswan-system[43] established between 9.5.149.53[9.5.149.53]...9.5.40.33[9.5.40.33]</font>
<br><font size=2 face="Courier New">Jun 22 18:41:08 blackthumb charon:
11[IKE] scheduling rekeying in 983s</font>
<br><font size=2 face="Courier New">Jun 22 18:41:08 blackthumb charon:
11[IKE] maximum IKE_SA lifetime 1103s</font>
<br><font size=2 face="Courier New">Jun 22 18:41:08 blackthumb charon:
11[IKE] CHILD_SA strongswan-system{4} established with SPIs c88bfde2_i
d89a0c68_o and TS 9.5.149.53/32 === 9.5.40.33/32 </font>
<br><font size=2 face="Courier New">Jun 22 18:41:08 blackthumb charon:
11[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]</font>
<br><font size=2 face="Courier New">Jun 22 18:41:08 blackthumb charon:
11[NET] sending packet: from 9.5.149.53[500] to 9.5.40.33[500]</font>
<br><font size=2 face="Courier New">Jun 22 18:48:11 blackthumb charon:
16[NET] received packet: from 9.5.40.33[500] to 9.5.149.53[500]</font>
<br><font size=2 face="Courier New">Jun 22 18:48:11 blackthumb charon:
16[ENC] parsed CREATE_CHILD_SA request 2 [ N(REKEY_SA) SA No TSi TSr ]</font>
<br><font size=2 face="Courier New">Jun 22 18:48:11 blackthumb charon:
16[IKE] CHILD_SA strongswan-system{4} established with SPIs c3ac6e16_i
a02ba143_o and TS 9.5.149.53/32 === 9.5.40.33/32 </font>
<br><font size=2 face="Courier New">Jun 22 18:48:11 blackthumb charon:
16[ENC] generating CREATE_CHILD_SA response 2 [ SA No TSi TSr ]</font>
<br><font size=2 face="Courier New">Jun 22 18:48:11 blackthumb charon:
16[NET] sending packet: from 9.5.149.53[500] to 9.5.40.33[500]</font>
<br><font size=2 face="Courier New">Jun 22 18:51:11 blackthumb charon:
01[NET] received packet: from 9.5.40.33[500] to 9.5.149.53[500]</font>
<br><font size=2 face="Courier New">Jun 22 18:51:11 blackthumb charon:
01[ENC] parsed INFORMATIONAL request 3 [ D ]</font>
<br><font size=2 face="Courier New">Jun 22 18:51:11 blackthumb charon:
01[IKE] received DELETE for ESP CHILD_SA with SPI d89a0c68</font>
<br><font size=2 face="Courier New">Jun 22 18:51:11 blackthumb charon:
01[IKE] closing CHILD_SA strongswan-system{4} with SPIs c88bfde2_i (0 bytes)
d89a0c68_o (0 bytes) and TS 9.5.149.53/32 === 9.5.40.33/32 </font>
<br><font size=2 face="Courier New">Jun 22 18:51:11 blackthumb charon:
01[IKE] sending DELETE for ESP CHILD_SA with SPI c88bfde2</font>
<br><font size=2 face="Courier New">Jun 22 18:51:11 blackthumb charon:
01[IKE] CHILD_SA closed</font>
<br><font size=2 face="Courier New">Jun 22 18:51:11 blackthumb charon:
01[ENC] generating INFORMATIONAL response 3 [ D ]</font>
<br><font size=2 face="Courier New">Jun 22 18:51:11 blackthumb charon:
01[NET] sending packet: from 9.5.149.53[500] to 9.5.40.33[500]</font>
<br><font size=2 face="Courier New">Jun 22 18:55:14 blackthumb charon:
09[NET] received packet: from 9.5.40.33[500] to 9.5.149.53[500]</font>
<br><font size=2 face="Courier New">Jun 22 18:55:14 blackthumb charon:
09[ENC] parsed CREATE_CHILD_SA request 4 [ N(REKEY_SA) SA No TSi TSr ]</font>
<br><font size=2 face="Courier New">Jun 22 18:55:14 blackthumb charon:
09[IKE] CHILD_SA strongswan-system{4} established with SPIs c824af9e_i
7b2f7697_o and TS 9.5.149.53/32 === 9.5.40.33/32 </font>
<br><font size=2 face="Courier New">Jun 22 18:55:14 blackthumb charon:
09[ENC] generating CREATE_CHILD_SA response 4 [ SA No TSi TSr ]</font>
<br><font size=2 face="Courier New">Jun 22 18:55:14 blackthumb charon:
09[NET] sending packet: from 9.5.149.53[500] to 9.5.40.33[500]</font>
<br><font size=2 face="Courier New">Jun 22 18:56:09 blackthumb charon:
06[NET] received packet: from 9.5.40.33[500] to 9.5.149.53[500]</font>
<br><font size=2 face="Courier New">Jun 22 18:56:09 blackthumb charon:
06[ENC] parsed CREATE_CHILD_SA request 5 [ SA No KE ]</font>
<br><font size=2 face="Courier New">Jun 22 18:56:09 blackthumb charon:
06[IKE] peer initiated rekeying, but a child is half-open</font>
<br><font size=2 face="Courier New">Jun 22 18:56:09 blackthumb charon:
06[ENC] generating CREATE_CHILD_SA response 5 [ N(NO_PROP) ]</font>
<br><font size=2 face="Courier New">Jun 22 18:56:09 blackthumb charon:
06[NET] sending packet: from 9.5.149.53[500] to 9.5.40.33[500]</font>
<br><font size=2 face="sans-serif"><br>
</font>
<br>