[strongSwan] strongswan: clarification needed on rekeying failure

[gowrishankar]

Hi,
    I am looking for a clarification wrt "rekeying SA" in strongswan
implementation. During a rekeying negotiation to a remote peer, if local
node receives "NO_PROPOSAL_CHOSEN" in notify payload as a response to
CREATE_CHILD_SA request, should n't the current IKE SA be destroyed and
created once again ? but I observe that, CREATE_CHILD_SA is again
requested.

 From charon.log: (X is local system and Y is remote system)

  01[ENC] generating CREATE_CHILD_SA request 2 [ N(REKEY_SA) 
N(USE_TRANSP) SA No TSi TSr ]
  01[NET] sending packet: from X:X:X:1::1[500] to Y:Y:Y:1::1[500]
  10[NET] received packet: from Y:Y:Y:1::1[500] to X:X:X:1::1[500]
  10[ENC] parsed CREATE_CHILD_SA response 2 [ N(NO_PROP) ]
  10[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
  10[IKE] failed to establish CHILD_SA, keeping IKE_SA
  10[IKE] CHILD_SA rekeying failed, trying again in 24 seconds
  05[KNL] creating rekey job for ESP CHILD_SA with SPI 8a8cefdc and 
reqid {1}
  12[IKE] establishing CHILD_SA ikev2_test{1}
  12[ENC] generating CREATE_CHILD_SA request 3 [ N(REKEY_SA) 
N(USE_TRANSP) SA No TSi TSr ]
  12[NET] sending packet: from X:X:X:1::1[500] to Y:Y:Y:1::1[500]

 From ipsec.conf, timing settings:

ikelifetime="120s"
rekeymargin=5s
keylife="60s"

As per RFC 4306 (http://www.ietf.org/rfc/rfc4306.txt) Section 2.8,

    "An implementation
    MAY refuse all CREATE_CHILD_SA requests within an IKE_SA.  If an SA
    has expired or is about to expire and rekeying attempts using the
    mechanisms described here fail, an implementation MUST close the
    IKE_SA and any associated CHILD_SAs and then MAY start new ones."

Hence, is sending notify payload (no proposal chosen) not treated as
failure for rekey attempt ? It can not be considered as packet loss as
initiator received the response anyway.

I am a newbie and please correct my understanding if you have better
answer.

Thanks,
Gowri Shankar