[strongSwan-dev] 2 transport mode CHILD SAs, tunnel up, connection down

[Martin Willi]

Hi James,

> It should be noted that I had tested the same setup with the
> configuration option 'reauth=no' previously for 5 days without such a
> situation appearing. I then removed this option and after 2 days of
> testing I had the problem described above.

It is hard to say what ultimately lead to the second CHILD_SA, but that
reauthentication is involved is certainly possible.

Reauthentication is actually a kludge in IKEv2, as it just reestablished
the IKE and all CHILD_SAs from scratch. There are situations that are
hard to handle, for example if one peer re-authenticates while to other
rekeys a CHILD_SA. Another problem arises if, for example, a trap policy
(auto=route) triggers while the remote end has closed the IKE_SA just
before recreating it during re-authentication.

I usually recommend to set reauth=no, as it is just not required for
most setups to re-evaluate credentials. If it is in your setup, you
might consider having rekey/reauth times that always the same peer
initiates the reauthentication/rekeying. This certainly can help in
avoiding the issue you have seen.

Regards
Martin