[strongSwan] Question regarding failed Child SA response

Eric_C_Johnson at Dell.com Eric_C_Johnson at Dell.com
Mon Jan 16 15:21:44 CET 2012


Bumping this as I haven't heard back.  Any thoughts?

From: Johnson, Eric C
Sent: Friday, January 13, 2012 11:29 AM
To: 'users at lists.strongswan.org'
Subject: Question regarding failed Child SA response

I have a scenario where I'm trying to establish a cert based tunnel between two hosts (one using Strongswan and the other not) using IKEv2.

I inadvertently created an ID mismatch on the initiating Strongswan host.  For example, on the Ubuntu host I configured the rightid value as email at domain.com<mailto:email at domain.com> but on the remote peer I had a local certificate with a Subject Alternative Name (SAN) value of host.domain.com.  Basically I misconfigured the peers where one was expecting the email SAN type while the other was sending the dns SAN type.  The good news is I understand the problem and have managed to get things working.  What I don't understand is the behavior to account for this configuration issue.  During the Child SA exchange the Strongswan host sends the request and the remote peer sends the corresponding Child SA response.  But due to the misconfiguration, the Child SA response essentially fails.  However, the remote peer thinks the tunnel is up while the Strongswan host does not.  And I can't determine if this is appropriate behavior or not.  It seems like there should be some mechanism built into the IKEv2 protocol to accommodate a failed Child SA response.  My initial reaction is the Strongswan host should be sending a notification message to the remote peer to inform it the tunnel is not fully established and to clean up the Child SAs so a new request can be sent.  But I never see a notify message or a new request sent from the Strongswan host.

Following are the relevant log entries from the Strongswan initiating attempt (I have removed the majority of the entries for security reasons) ...
|
Jan 13 10:55:42 gyaos6-PowerEdge-R610 charon: 08[CFG]   fetching crl from 'file://\\StandAloneCA\CertEnroll\sqaca.crl' ...
Jan 13 10:55:42 gyaos6-PowerEdge-R610 charon: 08[LIB] libcurl http request failed: Couldn't open file \\StandAloneCA\CertEnroll\sqaca.crl<file:///\\StandAloneCA\CertEnroll\sqaca.crl>
Jan 13 10:55:42 gyaos6-PowerEdge-R610 charon: 08[CFG] crl fetching failed
Jan 13 10:55:42 gyaos6-PowerEdge-R610 charon: 08[CFG]   fetching crl from 'http://standaloneca/CertEnroll/sqaca.crl' ...
Jan 13 10:55:42 gyaos6-PowerEdge-R610 charon: 08[LIB] libcurl http request failed: Couldn't resolve host 'standaloneca'
Jan 13 10:55:42 gyaos6-PowerEdge-R610 charon: 08[CFG] crl fetching failed
Jan 13 10:55:42 gyaos6-PowerEdge-R610 charon: 08[CFG] certificate status is not available
Jan 13 10:55:42 gyaos6-PowerEdge-R610 charon: 08[CFG]   reached self-signed root ca with a path length of 0
Jan 13 10:55:42 gyaos6-PowerEdge-R610 charon: 08[IKE] authentication of '<host.domain.com>' with RSA signature successful
Jan 13 10:55:42 gyaos6-PowerEdge-R610 charon: 08[CFG] constraint check failed: identity '< email at domain.com<mailto:email at domain.com> >' required
Jan 13 10:55:42 gyaos6-PowerEdge-R610 charon: 08[CFG] selected peer config 'ubuntu-gamera6_ipv4_wka' inacceptable
Jan 13 10:55:42 gyaos6-PowerEdge-R610 charon: 08[CFG] no alternative config found
Jan 13 10:55:50 gyaos6-PowerEdge-R610 kernel: [1557141.489236] device eth0 left promiscuous mode

Running 'ipsec statusall' confirms the Strongswan does not think the Child SA establishes.

Again, I know why the tunnel "fails" (and it does come up when I fix the configuration issue).  I just need some help understanding how\why either host fails to recover from the failed Child SA response.  Thanks for any help that can be provided.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120116/8c9622cf/attachment.html>


More information about the Users mailing list