[strongSwan] Failed to create IKEv2 CHILD_SA if peer rekeyed IKE_SA
Martin Willi
martin at strongswan.org
Wed Dec 19 10:28:08 CET 2012
Hi,
> The strongSwan responder was having trouble rekeying IKE SAs with
> Windows 7 Agile VPN initiator every 3 hours due to "unacceptable traffic
> selectors."
According to your log (and your subject), I'd guess it is the other way
round: CHILD_SA rekeying fails once an IKE_SA rekeying completed. An
IKE_SA rekeying doesn't transfer any traffic selectors, it actually
can't fail for this reason.
> strongswan-5.0.1
I recently fixed an annoying bug that can affect rekeyings: the virtual
IP was not transferred correctly during IKE_SA rekeying. For rekeyed
IKE_SAs, the virtual IP is not available anymore, which affects traffic
selector derivation/selection if they are "dynamic".
Please try the patch at [1], chances are good that it fixes this issue.
Only 5.0.1 is affected, 5.0.2 will include the fix.
Regards
Martin
[1]http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=43b4c2ea
More information about the Users
mailing list