[strongSwan-dev] Regarding missbehaviour of strongswan4.5.3 while configure ikev1

Ranjan Kumar Mishra ranjan.mishra at aricent.com
Mon Sep 9 12:53:17 CEST 2013


We are using strongswan4.5.3 .

one bypass policy and another is protected which is any to any with ikev1.

Security g/w
Check point
For protected having both ikev1 and ikev2 for same policy

Scenario :

Initial it is established with ikev1 from the check point and work as per
the expectation.

After some time later DPD restart has happened and check Point used to send
IKE_SA_INIT from ikev2 and then association get established as FTM ikev1 and
CP ikev2 as per the strongswan behavior.
Still it is able to handle traffic. After some time later ikev1 used to send
quick_mode to our strongswan and in Pluto logs I am able to see
“pluto[4364]: | policy === in already exists, increasing

This is happened two times.

After some time the delete SA has come for charon
charon: 09[IKE] closing CHILD_SA conn1000{1} with SPIs c1a4906e_i (2209
bytes) 4ba2d472_o (9351 bytes) and TS === 0.0L

Policy has been deleted from xfrm, but still Pluto SAs is there and complete
traffic used to stop due to there is no policy in the xfrm.

Can you please suggest how to handle this ?

As per my point of view it should not accept the ikev2 request, because
there is no policy configured for ikev2 and if it is able to accept the
request from ikev2 then it should check the existing plutos SA while
deleting the policy when charon initiate closing SA.

Thanks in advance.

Thanks and best Regards,

More information about the Dev mailing list