[strongSwan] Dynamic IP allocation error handling
Martin Willi
martin at strongswan.org
Tue Jul 24 11:49:12 CEST 2012
Hi Rudolf,
> When this situation occurs, both ends assume that connection is up. It
> is in terms of IPSec, but no traffic can be sent through.
The IKE_SA, the management connection, is up. The CHILD_SA, however,
can't succeed because of the address allocation failure. This is the
intended behavior, as specified by RFC 5996:
> If creating the Child SA during the IKE_AUTH exchange fails for some
> reason, the IKE SA is still created as usual. The list of Notify
> message types in the IKE_AUTH exchange that do not prevent an IKE SA
> from being set up include at least the following: NO_PROPOSAL_CHOSEN,
> TS_UNACCEPTABLE, SINGLE_PAIR_REQUIRED, INTERNAL_ADDRESS_FAILURE, and
> FAILED_CP_REQUIRED.
> Is it possible to configure client and/or server to tear down the
> connection in this condition
Yes, you can define the strongswan.conf option
charon {
close_ike_on_child_failure = yes
}
to close the IKE_SA if the CHILD_SA can't be established.
> and try again?
No, currently no retry is done, as it is handled as a fatal error.
Regards
Martin
More information about the Users
mailing list