[strongSwan] Failed to create IKEv2 CHILD_SA if peer rekeyed IKE_SA

Tianjie Mao tjmao at tjmao.net
Wed Dec 19 18:34:40 CET 2012


Thanks for the response. So far the patch has worked pretty well and virtual
IPs are now transferred to the new IKE_SA on rekeying.

I should have checked git log first for any recent commits. :)


On 12/19/12, Martin Willi <martin at strongswan.org> wrote:
> Hi,
> According to your log (and your subject), I'd guess it is the other way
> round: CHILD_SA rekeying fails once an IKE_SA rekeying completed. An
> IKE_SA rekeying doesn't transfer any traffic selectors, it actually
> can't fail for this reason.
> I recently fixed an annoying bug that can affect rekeyings: the virtual
> IP was not transferred correctly during IKE_SA rekeying. For rekeyed
> IKE_SAs, the virtual IP is not available anymore, which affects traffic
> selector derivation/selection if they are "dynamic".
> Please try the patch at [1], chances are good that it fixes this issue.
> Only 5.0.1 is affected, 5.0.2 will include the fix.
> Regards
> Martin
> [1]http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=43b4c2ea

More information about the Users mailing list