[strongSwan] MAC Verification failed On Receipt of CREATE_CHILD_SA message.

Martin Willi martin at strongswan.org
Wed Sep 5 13:34:01 CEST 2012


> First one ikev2 child SA is eshtablished after IKE_SA_INIT an IKE_AUTH
> exchanges.Now A second Child SA created by sending CREATE_CHILD_SA
> request.
> Then this application times out the first child SA and expects a REKEY
> request for the first CHILD SA.BUT when two child sa gets eshtablished
> the keylife of both the Child SA's gets approximately same.And
> Strongswan sends rekey request for both of them. Now this software
> sends one CREATE_CHILD_SA (rekey response) message.But in Strongswan's
> side it shows MAC Authentication failed( in var/log/charon.log).And it
> drops the packet.

Hard to say what's going wrong. Are you sure these CREATE_CHILD_SA
messages are for CHILD_SAs, not for IKE_SAs? Is it possible to reproduce
the issue while rekeying just a single CHILD_SA?

strongSwan has been tested against many implementations, but I've never
seen this issue with CHILD_SA rekeying. Should your application support
that rekeying scenario you describe above?

> Is there any limitations on creating more than two Child SAs for the
> same IKE SA. Or is there any known issue on strongswan   
> about creating more than one Child SA or rekeying.



More information about the Users mailing list