[strongSwan-dev] IKEv1, Racoon and traffic selectors
Jean-Francois HREN
jean-francois.hren at stormshield.eu
Mon May 18 11:46:37 CEST 2020
Hello all,
I have some compatibility issue between Racoon & Charon.
Let say you setup a working phase 1 between Racoon and Charon as well as a working phase 2.
The tunnel goes up and everything works fine.
You add a phase 2 to Charon but unknown to Racoon and try to initiate it.
A Quick Mode exchange is started by Charon but Racoon drops it since the traffic selectors are unknown.
However Racoon does not send any Informational Exchange message mostly because I think it is not mandatory according to the RFC.
Charon re-transmits the message 4 times and deems the remote peer dead (dpdaction is hold and closeaction is none).
The working phase 1 and 2 are deleted and the phase 1 is reestablished with the previous Quick Mode task reactivated for the unknown phase 2 leading to a new series of re-transmitted messages, dead peer and reestablished phase 1.
A first solution would be make Racoon sends an Informational Exchange message with a notify payload of type INVALID-ID-INFORMATION. It works and the phase 1 is not put down by Charon but compatibility wise it is not the optimal solution I guess.
Another solution would be to allow Charon to do nothing after 4 re-transmissions or maybe check the use time of phase 2 or launch some DPD.
Any ideas on this problem ?
Thank you.
Jean-François Hren
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20200518/cf65692e/attachment.html>
More information about the Dev
mailing list