[strongSwan-dev] IKEv1 rekeying / uniqueness honoring

Timo Teras timo.teras at iki.fi
Thu May 7 16:31:31 CEST 2015


Hi,

I'm testing strongSwan against racoon for an upgrade path. But it seems
the IKEv1 IKE_SA rekeying fails. What happens is:
1) racoon rekeys phase1
2) strongSwan accepts, and queues adopt_children_job
3) adopt_children_job moves all childs to the new IKE_SA just fine,
   but then it unconditionally terminates the old IKE_SAs. even if my
   config has "unique=no" for the peer. apparently it's bug in
   adpot_children_job::execute?
4) racoon keeps DPDing the old IKE_SA which got deleted on swan side
   (probably racoon bug that delete notification is not handled right)
5) racoon DPD says the peer is dead, and kills all SAs
6) connection lost until everything restarted from start

Would it be possible to fix adopt_children_job to honor "unique=no" and
not delete the old IKE_SAs?

Thanks,
Timo


More information about the Dev mailing list