[strongSwan] charon starts unexpected DELETE exchange immediately after initial tunnel setup

Roman Jaehn listmail2001-2010 at yahoo.de
Sun Sep 19 12:31:19 CEST 2010 

Hi strongSwan users and developers,

the following issue was reported to us. When we try to reproduce under
debug-friendly conditions (own lab), the unexpected message exchange does not occur!

Situation:
"left" is configured as end node and has 2 IPv4 addresses: L1 and L2 (plain
interface address and alias)
"right" has 1 address and is configured as gateway. Both nodes are running
strongSwan v4.4.1.
IKEv2 tunnels are defined as follows, I hope that I don't leave out too much
important information:

conn l1r
  leftsubnet=L1/32
  rightsubnet=R/23
  left=L1
  right=R

conn l2r
  leftsubnet=L2/32
  rightsubnet=R/23
  left=L2
  right=R

left has "auto=start" and right has "auto=add".

Tunnel establishment sequence seems to work nicely in the beginning after both
nodes are started:

1.   L1   ->      R       IKE_SA_INIT
2.   L2   ->      R       IKE_SA_INIT
3.   R   ->      L2       IKE_SA_INIT
4.   R   ->      L1       IKE_SA_INIT
5.   L2   ->      R       IKE_AUTH
6.   L1   ->      R       IKE_AUTH
7.   R   ->      L2       IKE_AUTH
8.   R   ->      L1       IKE_AUTH

But ...
immediately after both configured tunnels are established, left starts DELETE
exchange for the second connection, followed by a re-establishment of the same
(within milliseconds).
No particular reason for the deletion is found in the logs that are available.

9.  L2   ->   R           INFORMATIONAL (Delete request for IKE SA l2r)
10. R   ->   L2           INFORMATIONAL (Delete response)
11. L2   ->   R           IKE_SA_INIT
12. L2   ->   R           IKE_SA_INIT
13. R   ->   L2           IKE_SA_INIT
14. R   ->   L2           IKE_SA_INIT
15. R   ->   L2           IKE_AUTH
16. L2   ->   R           IKE_AUTH
17. L2   ->   R           IKE_AUTH
18. R   ->   L2           IKE_AUTH

After that both tunnels are stable.
Could anybody explain why the Delete exchange is started by charon?
Is it because "left" assumes (wrongly or not) that it has a duplicate IKE SA (why?)

Any idea is welcome.
Regards, Roman (NSN - DE/Duesseldorf)

P.S.: This may be related to one issue that was reported recently on this list:
Why does charon delete all IKE_SA?
(https://lists.strongswan.org/pipermail/users/2010-September/005252.html)

More information about the Users mailing list