[strongSwan] Rekey issue when strongswan is initiating rekey
Arun Raj
arun at stoke.com
Fri Jun 4 09:58:28 CEST 2010
<<ike.pcap>> Hi ,
This is regarding an issue with strongswan during ikev2 Phase1 rekey
I brought up ikev2 session using strongswan and our box ( remote access
IPSec session )
Here I am seeing an issue that whenever strongswan is configure to
initiate Phase1 rekey ( IKE_SA )
Strongswan is sending IKE delete message first ( as informational
exchange )then followed by SA Init
Due to this , each Phase1 rekey is like tearing down existing session
and setting up new one
But I think ike delete for old SA should be send only after new SA is
establish
Please correct me if I am wrong
This issue was not observed when we configure the other side gateway (
not strongswan ) we are using to initiate rekey
I tried two different versions of strongswan 4.2.9 and 4.4.0
If some one faced this issue and was able to solve, please let me know
I am pasting my ipsec.con file also for your reference
cat ipsec.conf
# basic configuration
config setup
strictcrlpolicy=no
plutostart=no
charonstart=yes
charondebug=all
klipsdebug=all
conn home
rekey=yes
ikelifetime=90s
keylife=800s
rekeymargin=20
keyexchange=ikev2
auth=esp
authby=psk
keyingtries=1
left=90.1.1.1
leftid=ikev2 at ic
leftsourceip=10.10.10.1
leftfirewall=no
right=15.1.1.1
#rightid=*@ic
rightid=%any
rightsubnet=69.0.0.1/24
pfs=yes
ike=aes128-sha1-modp1024
esp=aes128-sha1-modp1024
auto=add
( this file which I attached here is pcap during P1 rekey )
Thanks
Arun
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ike.pcap
Type: application/octet-stream
Size: 3081 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100604/5e4d51e6/attachment.obj>
More information about the Users
mailing list