[strongSwan] MAC Verification failed On Receipt of CREATE_CHILD_SA message.
Martin Willi
martin at strongswan.org
Wed Sep 5 13:34:01 CEST 2012
Hi,
> First one ikev2 child SA is eshtablished after IKE_SA_INIT an IKE_AUTH
> exchanges.Now A second Child SA created by sending CREATE_CHILD_SA
> request.
> Then this application times out the first child SA and expects a REKEY
> request for the first CHILD SA.BUT when two child sa gets eshtablished
> the keylife of both the Child SA's gets approximately same.And
> Strongswan sends rekey request for both of them. Now this software
> sends one CREATE_CHILD_SA (rekey response) message.But in Strongswan's
> side it shows MAC Authentication failed( in var/log/charon.log).And it
> drops the packet.
Hard to say what's going wrong. Are you sure these CREATE_CHILD_SA
messages are for CHILD_SAs, not for IKE_SAs? Is it possible to reproduce
the issue while rekeying just a single CHILD_SA?
strongSwan has been tested against many implementations, but I've never
seen this issue with CHILD_SA rekeying. Should your application support
that rekeying scenario you describe above?
> Is there any limitations on creating more than two Child SAs for the
> same IKE SA. Or is there any known issue on strongswan
> about creating more than one Child SA or rekeying.
No.
Regards
Martin
More information about the Users
mailing list