[strongSwan] strongSwan 5.0.0 on OpenWrt: duplicate IKE SA and failed MOBIKE
Tobias Brunner
tobias at strongswan.org
Wed Oct 3 16:37:31 CEST 2012
Hi Mirko,
> * Charon on OpenWrt was unable to perform the MOBIKE address update;
> eventually the IKE SA was destroyed and reestablished.
This issue has already been reported [1]. In your case the ongoing
(but, due to unusable addresses, unsuccessful) DPD exchange blocks the
MOBIKE task. Once the DPD exchange fails (after 5 retransmits) charon
destroys the SA and tries to reestablish it.
> * Both peers initiated an IKE SA and CHILD SAs based on these.
> Why wasn't one of them deleted as a duplicate?
> This issue showed up in about 50% of my experiments.
If both peers initiate the same IKE_SA within a small time frame the
duplicate can't be detected. Essentially, whenever the daemon processes
and builds the IKE_AUTH response for the respective SAs concurrently.
Regards,
Tobias
[1] http://wiki.strongswan.org/issues/193
More information about the Users
mailing list