<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta content="text/html;charset=UTF-8" http-equiv="Content-Type"></head><body ><div style='font-size:10pt;font-family:Verdana,Arial,Helvetica,sans-serif;'>Hi,    <p class="MsoPlainText">I have a tunnel established as Node A (20.0.0.1) ==== Node B (20.0.0.2).</p><p class="MsoPlainText">Both nodes are using charon (strongSwan 4.3.6).</p>  <p class="MsoPlainText"> </p>  <p class="MsoPlainText">And both sides<span style="mso-spacerun:yes">  </span>have:</p>  <p class="MsoPlainText"><span style="mso-spacerun:yes">     </span>ikelifetime=90s</p>  <p class="MsoPlainText"><span style="mso-spacerun:yes">     </span>keylife=60s</p>  <p class="MsoPlainText"><span style="mso-spacerun:yes">    </span><span style="mso-spacerun:yes"> </span>auto=route</p>  <p class="MsoPlainText"><span style="mso-spacerun:yes">    </span><span style="mso-spacerun:yes"> </span>reauth=no</p>  <p class="MsoPlainText"> </p>  <p class="MsoPlainText">I am referring to the attached rekey2.pcap file.</p>  <p class="MsoPlainText"> </p>  <p class="MsoPlainText">After IKE_SA_INIT (packet #7 in pcap), the initiator and responder cookies are f7e6e3504c15b11c and 3b1c20ab77ac3448.</p>  <p class="MsoPlainText">Subsequent packets uses these cookies, till an IKE_SA rekey happens at packet #53, in CREATE_CHILD_SA.</p>  <p class="MsoPlainText">Here the cookies change to new values 274f3d2d81b340ac and 9c67f5a2a64d6e73.</p>  <p class="MsoPlainText">Till this everything is fine.</p>  <p class="MsoPlainText"> </p>  <p class="MsoPlainText">The strange thing I am observing is that, at packet #85, the cookies change to e3b281e7beed87d3 and fb34f7cc3f54a1bc.</p>  <p class="MsoPlainText">But this is happening in an INFORMATIONAL packet. Subsequent packets are using these cookies till next IKE_SA rekey happens in a CREATE_CHILD_SA packet (# 109).</p>  <p class="MsoPlainText"> </p>  <p class="MsoPlainText">My understanding is that the cookie values should change only when IKE_SA rekey happens, in a CREATE_CHILD_SA packet. <br></p><p class="MsoPlainText">How could IKE_SA rekey happen and cookies change in an INFORMATIONAL packet (a DPD packet)?</p>  <p class="MsoPlainText"> </p>  <p class="MsoPlainText">I find it highly unlikely that, for some reason, the CREATE_CHILD_SA packets were not captured by tcpdump.</p>  <p class="MsoPlainText">Is there any other possible explanation for this?</p>  <p class="MsoPlainText"> </p>  <p class="MsoPlainText"> </p>  <p class="MsoPlainText">I am using wireshark version 1.2.8.</p>  <p class="MsoPlainText">Keys for decryption in wireshark are given below:</p>  <p class="MsoPlainText"> </p>  <p class="MsoPlainText">------------------------------------------</p>  <p class="MsoPlainText">Encryption algorithm: AES-CBC-128[RFC3602]</p>  <p class="MsoPlainText">Integrity algorithm: HMAC_SHA1_96[RFC2404]</p>  <p class="MsoPlainText"> </p>  <p class="MsoPlainText">Initiator: f7e6e3504c15b11c</p>  <p class="MsoPlainText">Responder: 3b1c20ab77ac3448</p>  <p class="MsoPlainText">Sk_ei EFFA708EF94BFCFE301F5761AA7E8405</p>  <p class="MsoPlainText">sk_er 7E260CEA422ACE305B4891CFFCF512AD</p>  <p class="MsoPlainText">sk_ai F1DD8A2AFEAE9477F200396CF0DF1AF360FF7FF9</p>  <p class="MsoPlainText">sk_ar 47C318A5EFC3B7F02CBE971D5619C546A1A8D1CC</p>  <p class="MsoPlainText"> </p>  <p class="MsoPlainText">Initiator: 274f3d2d81b340ac</p>  <p class="MsoPlainText">Responder: 9c67f5a2a64d6e73</p>  <p class="MsoPlainText">sk_ei 3A23F47F51AEAA274497EAFABCAD17C0</p>  <p class="MsoPlainText">sk_er 51FDE3E677F6637ECE0A9FA6FA32C1CF</p>  <p class="MsoPlainText">sk_ai 0CDBDE2821BBD039CAB600CC8170D194DEFD86F5</p>  <p class="MsoPlainText">sk_ar 05E3A3CC42D225FC0FD6E2101DDDE882C01BBEDB</p>  <p class="MsoPlainText"> </p>  <p class="MsoPlainText">Initiator: e3b281e7beed87d3</p>  <p class="MsoPlainText">Responder: fb34f7cc3f54a1bc</p>  <p class="MsoPlainText">sk_ei A82CF5E597071D33ACB0876017518634</p>  <p class="MsoPlainText">sk_er 1EDD35536A135FD51B598B1BC8C1F98F</p>  <p class="MsoPlainText">sk_ai C968F3A4F361182C59BBB24BF436C1DEB84247C9</p>  <p class="MsoPlainText">sk_ar 40DF3770DA9572CA2F339B0BA564CAE79A8AB2A1</p>  <p class="MsoPlainText">------------------------------------------</p>  <p class="MsoPlainText"> </p>  <p class="MsoPlainText"><a name="_MailAutoSig"><span style="mso-no-proof:yes">- Divya</span></a></p>  <span style="mso-bookmark:_MailAutoSig"></span>  <p class="MsoPlainText"> </p>  <br></div></body></html>