[strongSwan] Question regarding failed Child SA response

Eric_C_Johnson at Dell.com Eric_C_Johnson at Dell.com
Tue Jan 17 14:09:15 CET 2012

Hi Martin.

Thanks for the response.  Agreed re: DPD, rekeying etc for SA clean up.  However, I'm not sure I understand the notion that the responder doesn't care about the non-functional SA.  More so in terms of two-way traffic.  If the responder needs to send traffic to the initiator how is that going to happen if the initiator always fails the authentication?

-----Original Message-----
From: Martin Willi [mailto:martin at strongswan.org] 
Sent: Tuesday, January 17, 2012 3:56 AM
To: Johnson, Eric C
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] Question regarding failed Child SA response


> I just need some help understanding how\why either host fails to 
> recover from the failed Child SA response.

It's not related to the CHILD_SA, but authentication fails at the initiator because the identity constraint is not fulfilled.

The IKEv2 protocol does not specify a mechanism to send an AUTHENTICATION_FAILED in this situation, as the exchange is complete.
The best option probably would be to send a DELETE for the failed IKE_SA, but we currently don't do it. Maybe I'll implement it some day, but it is not top priority for me. It doesn't happen that much in the wild, and often the responder does not care about the non-functional SA.
It will get deleted by some other mechanisms (DPD, rekeying or INITIAL_CONTACT).


More information about the Users mailing list