[strongSwan] Reporting Issue:Old CHILD_SA not getting cleared

Thu Apr 12 19:56:47 CEST 2012

Hi Tobias,

We have added reauth=no to the ipsec.conf and retested our scenario once. We could observe from the tcpdump on the node triggering the traffic that even now an INFORMATIONAL message (with Next Payload: Delete) is sent just before IKE_SA re-keying [behaviour is same as was with reauth=yes ]. As per our understanding it should not be the case [as per your suggestion this is normal when reauth=yes]. 
Please let us know your opinion on this. 
We will run the test scenario again and see if we have any difference. 

The ipsec.conf file is provided below for your reference.
# ipsec.conf

config setup
charonstart=yes
plutostart=no
charondebug="knl 0,enc 0,net 0"

conn %default
auto=route
keyexchange=ikev2
reauth=no

conn RULE1~VPN1
rekeymargin=100
rekeyfuzz=100%
left=10.1.1.1
right=20.1.1.1
leftsubnet=10.1.1.1/32
rightsubnet=20.1.1.1/32
leftprotoport=%any
rightprotoport=%any
authby=secret
leftid=10.1.1.1
rightid=20.1.1.1
ike=aes128-md5-modp768!
esp=3des-md5
type=tunnel
ikelifetime=600s
keylife=300s
reauth=no
dpdaction=clear
mobike=no
auto=route

Thanks and Regards,
Anurag Ghosh

________________________________

From: Ghosh, Anurag (EXT-Aricent - IN)
Sent: Wed 4/11/2012 9:00 PM
To: ext Tobias Brunner
Cc: users at lists.strongswan.org; jyoti.singh at aricent.com; Agarwal, Nupur (EXT-Aricent - US); Dharwadkar, Sriram (NSN - IN/Bangalore)
Subject: RE: Reporting Issue:Old CHILD_SA not getting cleared

Hi Tobias,

Thanks a lot for the information. 
We will test the scenario as per your inputs and let you know the results.

Thanks and Regards,
Anurag Ghosh

________________________________

From: ext Tobias Brunner [mailto:tobias at strongswan.org]
Sent: Wed 4/11/2012 8:28 PM
To: Ghosh, Anurag (EXT-Aricent - IN)
Cc: users at lists.strongswan.org; jyoti.singh at aricent.com; Agarwal, Nupur (EXT-Aricent - US); Dharwadkar, Sriram (NSN - IN/Bangalore)
Subject: Re: Reporting Issue:Old CHILD_SA not getting cleared

Hi Anurag,

> As per the below conf file I assume that reauth is set to "yes", even
> though I do not set it explicitly. Can you please confirm this?

Yes, reauth=yes is currently the default.  And by using auto=route you
created the same problem as recently discussed on this mailing list with
Anand Rao (see [1]).

> As per our understanding this new CHILD_SA with identifier {1} should not be created at all.

As explained to Anand this additional CHILD_SA is caused by acquires
which are triggered by traffic matching the installed policies during
the downtime when the IKE_SA is reauthenticated and no IPsec SA is
installed in the kernel.  Setting reauth=no avoids this downtime (and
consequently this CHILD_SA) because the IKE_SA is rekeyed without
deleting it first.

Regards,
Tobias

[1] https://lists.strongswan.org/pipermail/users/2012-April/007401.html