[strongSwan] Fw: strongswan IKEv2 ikesa rekey

Dennis Frett frett at us.ibm.com
Fri Jun 24 07:08:22 CEST 2011


I was able to make it such that the old child_sa is cleaned up right away 
and after that the IKE_SA init from the test system worked.  i no longer 
got the No_proposal_chosen reply.

regards, 


----- Forwarded by Dennis Frett/Rochester/IBM on 06/23/2011 11:57 PM -----

From:   Dennis Frett/Rochester/IBM
To:     users at lists.strongswan.org
Date:   06/23/2011 10:23 AM
Subject:        strongswan IKEv2 ikesa rekey


I'm trying to debug a situation with rekeying of IKE_SA from a test system 
to Strongswan. 
The original IKE_SA is authenticated from the test system to Strongswan.
Subsequent rekeying of Child_sa's happen in between.
Strongswan receives a create_child_sa for a new IKE_SA but according to 
the message below, it rejects the request because it says there's a half 
open child_sa.
that seems to be a misleading message.  all of the create child_sa 
requests have completed.   There are currently two open child_sa's for the 
IKE_SA as after the last child_sa rekey, the test system did not promptly 
remove the old child_sa.
is that what the message is referring to on the IKE_SA rekey request or is 
it something else?




Jun 22 18:41:06 blackthumb charon: 13[NET] received packet: from 
9.5.40.33[500] to 9.5.149.53[500]
Jun 22 18:41:06 blackthumb charon: 13[ENC] parsed IKE_SA_INIT request 0 [ 
SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jun 22 18:41:06 blackthumb charon: 13[IKE] 9.5.40.33 is initiating an 
IKE_SA
Jun 22 18:41:06 blackthumb charon: 13[IKE] sending cert request for "C=US, 
O=IBM, CN=BlackthumbCA"
Jun 22 18:41:06 blackthumb charon: 13[ENC] generating IKE_SA_INIT response 
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Jun 22 18:41:06 blackthumb charon: 13[NET] sending packet: from 
9.5.149.53[500] to 9.5.40.33[500]
Jun 22 18:41:08 blackthumb charon: 11[NET] received packet: from 
9.5.40.33[500] to 9.5.149.53[500]
Jun 22 18:41:08 blackthumb charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi 
IDr AUTH N(INIT_CONTACT) SA TSi TSr ]
Jun 22 18:41:08 blackthumb charon: 11[CFG] looking for peer configs 
matching 9.5.149.53[9.5.149.53]...9.5.40.33[9.5.40.33]
Jun 22 18:41:08 blackthumb charon: 11[CFG] selected peer config 
'strongswan-system'
Jun 22 18:41:08 blackthumb charon: 11[IKE] authentication of '9.5.40.33' 
with pre-shared key successful
Jun 22 18:41:08 blackthumb charon: 11[IKE] authentication of '9.5.149.53' 
(myself) with pre-shared key
Jun 22 18:41:08 blackthumb charon: 11[IKE] IKE_SA strongswan-system[43] 
established between 9.5.149.53[9.5.149.53]...9.5.40.33[9.5.40.33]
Jun 22 18:41:08 blackthumb charon: 11[IKE] scheduling rekeying in 983s
Jun 22 18:41:08 blackthumb charon: 11[IKE] maximum IKE_SA lifetime 1103s
Jun 22 18:41:08 blackthumb charon: 11[IKE] CHILD_SA strongswan-system{4} 
established with SPIs c88bfde2_i d89a0c68_o and TS 9.5.149.53/32 === 
9.5.40.33/32 
Jun 22 18:41:08 blackthumb charon: 11[ENC] generating IKE_AUTH response 1 
[ IDr AUTH SA TSi TSr ]
Jun 22 18:41:08 blackthumb charon: 11[NET] sending packet: from 
9.5.149.53[500] to 9.5.40.33[500]
Jun 22 18:48:11 blackthumb charon: 16[NET] received packet: from 
9.5.40.33[500] to 9.5.149.53[500]
Jun 22 18:48:11 blackthumb charon: 16[ENC] parsed CREATE_CHILD_SA request 
2 [ N(REKEY_SA) SA No TSi TSr ]
Jun 22 18:48:11 blackthumb charon: 16[IKE] CHILD_SA strongswan-system{4} 
established with SPIs c3ac6e16_i a02ba143_o and TS 9.5.149.53/32 === 
9.5.40.33/32 
Jun 22 18:48:11 blackthumb charon: 16[ENC] generating CREATE_CHILD_SA 
response 2 [ SA No TSi TSr ]
Jun 22 18:48:11 blackthumb charon: 16[NET] sending packet: from 
9.5.149.53[500] to 9.5.40.33[500]
Jun 22 18:51:11 blackthumb charon: 01[NET] received packet: from 
9.5.40.33[500] to 9.5.149.53[500]
Jun 22 18:51:11 blackthumb charon: 01[ENC] parsed INFORMATIONAL request 3 
[ D ]
Jun 22 18:51:11 blackthumb charon: 01[IKE] received DELETE for ESP 
CHILD_SA with SPI d89a0c68
Jun 22 18:51:11 blackthumb charon: 01[IKE] closing CHILD_SA 
strongswan-system{4} with SPIs c88bfde2_i (0 bytes) d89a0c68_o (0 bytes) 
and TS 9.5.149.53/32 === 9.5.40.33/32 
Jun 22 18:51:11 blackthumb charon: 01[IKE] sending DELETE for ESP CHILD_SA 
with SPI c88bfde2
Jun 22 18:51:11 blackthumb charon: 01[IKE] CHILD_SA closed
Jun 22 18:51:11 blackthumb charon: 01[ENC] generating INFORMATIONAL 
response 3 [ D ]
Jun 22 18:51:11 blackthumb charon: 01[NET] sending packet: from 
9.5.149.53[500] to 9.5.40.33[500]
Jun 22 18:55:14 blackthumb charon: 09[NET] received packet: from 
9.5.40.33[500] to 9.5.149.53[500]
Jun 22 18:55:14 blackthumb charon: 09[ENC] parsed CREATE_CHILD_SA request 
4 [ N(REKEY_SA) SA No TSi TSr ]
Jun 22 18:55:14 blackthumb charon: 09[IKE] CHILD_SA strongswan-system{4} 
established with SPIs c824af9e_i 7b2f7697_o and TS 9.5.149.53/32 === 
9.5.40.33/32 
Jun 22 18:55:14 blackthumb charon: 09[ENC] generating CREATE_CHILD_SA 
response 4 [ SA No TSi TSr ]
Jun 22 18:55:14 blackthumb charon: 09[NET] sending packet: from 
9.5.149.53[500] to 9.5.40.33[500]
Jun 22 18:56:09 blackthumb charon: 06[NET] received packet: from 
9.5.40.33[500] to 9.5.149.53[500]
Jun 22 18:56:09 blackthumb charon: 06[ENC] parsed CREATE_CHILD_SA request 
5 [ SA No KE ]
Jun 22 18:56:09 blackthumb charon: 06[IKE] peer initiated rekeying, but a 
child is half-open
Jun 22 18:56:09 blackthumb charon: 06[ENC] generating CREATE_CHILD_SA 
response 5 [ N(NO_PROP) ]
Jun 22 18:56:09 blackthumb charon: 06[NET] sending packet: from 
9.5.149.53[500] to 9.5.40.33[500]


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110624/3fbcc271/attachment.html>


More information about the Users mailing list