[strongSwan] strongSwan 5.0.0 on OpenWrt: duplicate IKE SA and failed MOBIKE

Tobias Brunner tobias at strongswan.org
Wed Oct 3 16:37:31 CEST 2012

Hi Mirko,

> * Charon on OpenWrt was unable to perform the MOBIKE address update;
>   eventually the IKE SA was destroyed and reestablished.

This issue has already been reported [1].  In your case the ongoing
(but, due to unusable addresses, unsuccessful) DPD exchange blocks the
MOBIKE task.  Once the DPD exchange fails (after 5 retransmits) charon
destroys the SA and tries to reestablish it.

> * Both peers initiated an IKE SA and CHILD SAs based on these.
>   Why wasn't one of them deleted as a duplicate?
>   This issue showed up in about 50% of my experiments.

If both peers initiate the same IKE_SA within a small time frame the
duplicate can't be detected.  Essentially, whenever the daemon processes
and builds the IKE_AUTH response for the respective SAs concurrently.


[1] http://wiki.strongswan.org/issues/193

More information about the Users mailing list