[strongSwan] Failed to create IKEv2 CHILD_SA if peer rekeyed IKE_SA
martin at strongswan.org
Wed Dec 19 10:28:08 CET 2012
> The strongSwan responder was having trouble rekeying IKE SAs with
> Windows 7 Agile VPN initiator every 3 hours due to "unacceptable traffic
According to your log (and your subject), I'd guess it is the other way
round: CHILD_SA rekeying fails once an IKE_SA rekeying completed. An
IKE_SA rekeying doesn't transfer any traffic selectors, it actually
can't fail for this reason.
I recently fixed an annoying bug that can affect rekeyings: the virtual
IP was not transferred correctly during IKE_SA rekeying. For rekeyed
IKE_SAs, the virtual IP is not available anymore, which affects traffic
selector derivation/selection if they are "dynamic".
Please try the patch at , chances are good that it fixes this issue.
Only 5.0.1 is affected, 5.0.2 will include the fix.
More information about the Users