[strongSwan] Failed to create IKEv2 CHILD_SA if peer rekeyed IKE_SA

Martin Willi martin at strongswan.org
Wed Dec 19 10:28:08 CET 2012


> The strongSwan responder was having trouble rekeying IKE SAs with
> Windows 7 Agile VPN initiator every 3 hours due to "unacceptable traffic
> selectors."

According to your log (and your subject), I'd guess it is the other way
round: CHILD_SA rekeying fails once an IKE_SA rekeying completed. An
IKE_SA rekeying doesn't transfer any traffic selectors, it actually
can't fail for this reason.

> strongswan-5.0.1

I recently fixed an annoying bug that can affect rekeyings: the virtual
IP was not transferred correctly during IKE_SA rekeying. For rekeyed
IKE_SAs, the virtual IP is not available anymore, which affects traffic
selector derivation/selection if they are "dynamic".

Please try the patch at [1], chances are good that it fixes this issue.
Only 5.0.1 is affected, 5.0.2 will include the fix.



More information about the Users mailing list