[strongSwan-dev] Jousting w/ IKEv2

Jeff Chilton jeff.chilton at mail.ois.com
Mon May 11 20:04:44 CEST 2015

Hello Developers,

I've been doing some tests with two hosts (running version 5.3.0) trying 
to initiate IKEv2 sessions (with each other), both starting via "ipsec 
up" at approximately the same time.

What I'm seeing is--every once and a while; seems to depend on 
timing--is one side will end up with two complete sets of SA's ("2 up, 0 
connecting") while the other side settles with only one set. The ESP 
SPIs indicate the single set corresponding to the higher []-numbered 
ones at the side with two.

ESP traffic does flow in this condition, but I'm concerned it's by luck, 
requiring the side with the extra set of SAs to use the correct one when 
transmitting.  Also, if the valid pair gets torn, the side left with the 
extra, un-matched SA goes incommunicado.

Is this a known issue, or something I should enter as one?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4583 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20150511/9d9750e3/attachment.bin>

More information about the Dev mailing list