[strongSwan] SAD and SPD are not deleted properly on getting delete payload from Peer for Ikev2

Martin Willi martin at strongswan.org
Wed May 9 09:39:11 CEST 2012


> When we stop IPSec service in Cisco, its sending Informational
> exchange with delete payload and message ID as 1.

It seems that the Cisco box messes up the message IDs. In IKEv2, message
IDs are strictly incremental and assigned independent of the exchange

> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> parsed IKE_AUTH request 1 [ IDi AUTH SA TSi TSr ]
> generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
> parsed INFORMATIONAL request 1 [ D ]
> received retransmit of request with ID 1, retransmitting response
> parsed IKE_AUTH response 1 [ N(TS_UNACCEPT) ]
> received message ID 1, expected 0. Ignored

IKE_SA_INIT uses message ID 0, the IKE_AUTH exchange ID 1. A follow up
exchange initiated from the IKE_SA initiator must have a message ID of
2. strongSwan handles the message with ID 1 as a retransmission and
retransmits its response with message ID 1. The last IKE_AUTH is
completely wrong, probably because the Cisco box receives the unexpected
IKE_AUTH retransmit.

Looks to me like a bug in the Cisco IKEv2 implementation. I don't think
there is much we can do from the strongSwan side.


More information about the Users mailing list