[strongSwan] Dynamic IP allocation error handling

Martin Willi martin at strongswan.org
Tue Jul 24 11:49:12 CEST 2012


Hi Rudolf,

> When this situation occurs, both ends assume that connection is up. It
> is in terms of IPSec, but no traffic can be sent through.

The IKE_SA, the management connection, is up. The CHILD_SA, however,
can't succeed because of the address allocation failure. This is the
intended behavior, as specified by RFC 5996:

> If creating the Child SA during the IKE_AUTH exchange fails for some
> reason, the IKE SA is still created as usual.  The list of Notify
> message types in the IKE_AUTH exchange that do not prevent an IKE SA
> from being set up include at least the following: NO_PROPOSAL_CHOSEN,
> TS_UNACCEPTABLE, SINGLE_PAIR_REQUIRED, INTERNAL_ADDRESS_FAILURE, and
> FAILED_CP_REQUIRED.

> Is it possible to configure client and/or server to tear down the
> connection in this condition

Yes, you can define the strongswan.conf option

charon {
  close_ike_on_child_failure = yes
}

to close the IKE_SA if the CHILD_SA can't be established.

> and try again?

No, currently no retry is done, as it is handled as a fatal error.

Regards
Martin





More information about the Users mailing list