[strongSwan-dev] IKEv1 rekeying / uniqueness honoring

Timo Teras timo.teras at iki.fi
Mon May 11 20:48:08 CEST 2015

On Fri, 8 May 2015 14:45:49 +0300
Timo Teras <timo.teras at iki.fi> wrote:

> Please disregard the below.
> Racoon does support IKE_SA deletion. It seems there was somehow a
> mismatch on the CHILD_SAs the racoon side initiated, and what
> strongSwan initiated. It's slightly curious how that resulted in total
> disconnect, but it might've been related to other scripts I use.
> Also that patch posted, does not probably work correctly unless
> additional REKEYED state is introduced to IKE_SA and marked as such
> when childs have been adopted - otherwise the IKE_SA rekeyed by
> remote, will be rekeyed again by us.
> I'll investigate more.

Once more on this topic.

What happens is when racoon rekeys, is that strongSwan detects rekeying
and posts the adopt_children_job. It will also delete the IKE_SA
silently -> that is, no ISAKMP_DELETE notification is sent to racoon.
This is why racoon considers DPD triggers, and once it detects the
IKE_SA dead, it will flush all other IKE_SAs and CHILD_SAs away.

While it is racoon bug that it does not check for other valid IKE_SAs
for the same peer -- I think strongSwan should be improved to send
ISAKMP_DELETE notification once it decides to delete the IKE_SA as
result of rekeying.

Or back to the point of my previous mail, of not deleting the IKE_SA at
all, but letting it expire 'naturally'.

Any thoughts?


More information about the Dev mailing list