[strongSwan] Question regarding failed Child SA response

Martin Willi martin at strongswan.org
Tue Jan 17 09:56:19 CET 2012


> I just need some help understanding how\why either host fails to
> recover from the failed Child SA response.

It's not related to the CHILD_SA, but authentication fails at the
initiator because the identity constraint is not fulfilled.

The IKEv2 protocol does not specify a mechanism to send an
AUTHENTICATION_FAILED in this situation, as the exchange is complete.
The best option probably would be to send a DELETE for the failed
IKE_SA, but we currently don't do it. Maybe I'll implement it some day,
but it is not top priority for me. It doesn't happen that much in the
wild, and often the responder does not care about the non-functional SA.
It will get deleted by some other mechanisms (DPD, rekeying or


More information about the Users mailing list