[strongSwan-dev] Understanding IKEv1 rekey

Noam Lampert lampert at google.com
Mon Aug 22 10:26:59 CEST 2016


We are having integration problems with Cisco ASR on IKEv1 that appear only
during IKE rekey.

At rekey time strongswan successfully initiates and negotiates a new IKE
SA, and after 10 seconds strongswan silently deletes the old IKE SA causing
DPD failures on the old IKE SA. The confuses the Ciscso ASR, eventually
causing it to delete the child SAs and the new IKE SA.

My question: How is the Cisco ASR supposed to know that the old IKE SA is
no longer relevant?

Is it possible that the intention was to delete the IKE SA after it is
totally expired, and the '10' value should really be
peer_cfg->get_over_time() ? Even if so, shouldn't strongswan still not send
a delete message?

A few pointers in the code:
* ike_sa->delete() for a IKE SA that is rekeyed silently deletes itself:
https://github.com/strongswan/strongswan/blob/master/src/libcharon/sa/ike_sa.c#L1786
 (note the 'break' and return DESTROY_ME).
* The decision to delete 10 seconds after negotiating the new IKE SA is
taken here:
https://github.com/strongswan/strongswan/blob/master/src/libcharon/sa/ike_sa_manager.c#L1908

Noam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20160822/325da11f/attachment.html>


More information about the Dev mailing list