[strongSwan] strongswan seems to go mad after some time
Martin Willi
martin at strongswan.org
Mon Oct 4 12:36:37 CEST 2010
Hi,
> I do not understand why port 4500 is used. I shouldn't have a NATed
> setup.
A MOBIKE enabled peer always switches to port 4500 for IKE_AUTH, this is
the intended behavior.
> 12[ENC] parsed INFORMATIONAL request 268 [ D ]
> 12[IKE] received DELETE for IKE_SA kronecker.scientia.net[2]
> 12[IKE] restarting CHILD_SA kronecker.scientia.net
> 12[IKE] initiating IKE_SA kronecker.scientia.net[4] to 77.37.6.134
> 12[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> 03[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> 03[IKE] 77.37.6.134 is initiating an IKE_SA
Looks like a bug if reauth=yes is used in conjunction with
dpdaction=restart and uniqueids=yes. If an IKE_SA is deleted for some
reason, the responding peer tries to reestablish the same with the
restart action. However, the peer deleting the SA actually does a
reauthentication by close-and-reestablish, resulting in redundant
IKE_SAs. This probably triggers the unique checking of an IKE_SA, and
again, deletes one of them.
The main issue here is the problematic reauthentication procedure
defined by the IKEv2 protocol. I'd highly recommend to disable it with
reauth=no, as it is usually useless from a security perspective if the
user does not have to reenter his credentials manually.
There is currently a discussion about a proper reauthentication
extensions for IKEv2 on the IPsec mailing list. We probably should drive
that thing forward and fix all the problems resulting from
reauthentication.
Regards
Martin
More information about the Users
mailing list