[strongSwan] Initiator Problem

Tetsuya Okumichi okumichi.tetsuya at jp.panasonic.com
Tue Aug 2 02:08:24 CEST 2011 

Hi all,

My network looks like this:

    [My Host(Strongswan)]----[Security GW]-----[Peer Host]

My Host(Strongswan) communicates with Peer Host.
My Host is installed Strongswan 4.4.1 on Linux2.6.19.


The trouble is occurred, as following sequence.

Strongswan                      Security GW
   |                                  |
   | Network trouble occurred.        | IKE_SA and CHILD_SA are closed  by DPD.
   |                                  |
   ====================================
   |                                  |
   |                                  |
   |----------IKE_INIT(A)---> X       | Strongswan initiates IKE Sequence.
   |                                  | Security GW doesn't receive IKE_INIT (due to congestion).
   |                                  |
   |<---------IKE_INIT(SA#1)----------| Security GW initiates IKE Sequence.
   |----------IKE_INIT(SA#1)--------->| IKE_SA(SA#1) is established.
   |<---------IKE_AUTH(SA#1)----------|
   |----------IKE_AUTH(SA#1)--------->| CHILD_SA(#1) is established.
   |                                  |
   |----------IKE_INIT(SA#2)--------->| Strongswan retransmissions for IKE_INIT(A)(I-Cookie is same as IKE_INIT(A).)
   |<---------IKE_INIT(SA#2)----------|
   |----------IKE_AUTH(SA#2)--------->|
   |<---------IKE_AUTH(SA#2)----------| IKE_SA(SA#2) is established.
   |                                  |   but Security Gateway releases IKE_SA(SA#1),
   |                                  |   because IKE_SA is established between same peer(Strongswan).
   |-------IKE Information(SA#1)----->| for KeepAlive. 
   |                                  |   but Security Gateway does not response,
   |                                  |   Because Security Gateway doesn't have IKE_SA(SA#1).
   |                                  | 
   |-------IKE Information(SA#1)----->| Strongswan retries KeepAlive at n times.
   |                                  |   after Strongswan detects DPD, Strongswan releases IKE_SA(SA#1).
   |                                  | 
   |----------IKE_INIT(SA#3)--------->| Strongswan starts IKE sequence, because IKE_SA(SA#1) down.

The most serious problem is that
  Strongswan would repeat sequence of IKE SA setup and release.

I hope that Strongswan does not start IKE sequence,
if IKE_SA is established between same Security Gateway.
(I hope that the number of IKE_SA in between Strongswan and one Security 
Gateway is only one, if  I use DPD and set dpdaction = restart.)


do you have any Resolution?
Thanks for help.

Best regards,
Tetsuya

More information about the Users mailing list