[strongSwan] Dynamic IP allocation error handling

Rudolf Ladyzhenskii rudolfl at rumatech.com
Thu Jul 26 07:09:23 CEST 2012


Hmm...

Does not seem to work. I put the
charon {
 close_ike_on_child_failure = yes
}

on both ends and problem is still there.

I will try to produce logs and will post them here.

Thanks,
Rudolf

On Tue, Jul 24, 2012 at 7:49 PM, Martin Willi <martin at strongswan.org> wrote:
> Hi Rudolf,
>
>> When this situation occurs, both ends assume that connection is up. It
>> is in terms of IPSec, but no traffic can be sent through.
>
> The IKE_SA, the management connection, is up. The CHILD_SA, however,
> can't succeed because of the address allocation failure. This is the
> intended behavior, as specified by RFC 5996:
>
>> If creating the Child SA during the IKE_AUTH exchange fails for some
>> reason, the IKE SA is still created as usual.  The list of Notify
>> message types in the IKE_AUTH exchange that do not prevent an IKE SA
>> from being set up include at least the following: NO_PROPOSAL_CHOSEN,
>> TS_UNACCEPTABLE, SINGLE_PAIR_REQUIRED, INTERNAL_ADDRESS_FAILURE, and
>> FAILED_CP_REQUIRED.
>
>> Is it possible to configure client and/or server to tear down the
>> connection in this condition
>
> Yes, you can define the strongswan.conf option
>
> charon {
>   close_ike_on_child_failure = yes
> }
>
> to close the IKE_SA if the CHILD_SA can't be established.
>
>> and try again?
>
> No, currently no retry is done, as it is handled as a fatal error.
>
> Regards
> Martin
>




More information about the Users mailing list