[strongSwan] Behavior on receiving NO_ADDITIONAL_SAS

Martin Willi martin at strongswan.org
Thu Feb 28 12:59:46 CET 2013


Hi,

> Scenario-1--> No child SA allowed using CREATE_CHILD_SA (apart from the
> one created during the AUTH exchange) How does strongswan behave in
> this case ? will it delete the IKE and try to recreate the IKE & child
> again?

No. The CHILD_SA does not get created, but no further actions follow.
The existing IKE_SA and its child(ren) stay as they are.

There is a global strongswan.conf option called
charon.close_ike_on_child_failure, but this closes the IKE_SA only if
establishing the initial CHILD_SA fails during IKE_AUTH.

> Scenario-2--> Alreday <N> child SA are created and peer doesn't support
> N+1th child SA under the given IKE  (is it possible to enforce such
> restriction?)

strongSwan does not have such a limit.

> How does strongswan behave in this case ? will it delete the IKE and
> all the child SA under that IKE and try to recreate the IKE & child SAs
> again?

No, same behavior as in Scenario 1.

> Scenario-3--> Reject IKE rekeying request using CREATE_CHILD_SA from
> the peer How does strongswan behave in this case ? will it delete the
> IKE and all the child SA under that IKE and try to recreate the IKE &
> child SAs again?

Yes. If IKE_SA rekeying gets rejected, charon starts re-authentication.
This means it closes the IKE_SA with all CHILD_SAs, then recreates the
IKE_SA with all previously established CHILD_SAs.

> Scenario-4 --> In case of 1-IKE and multiple child-SA configuration, if
> the peer rejects the rekey request for any of child(ESP) SA with
> "NO_ADDITIONAL_SAS" How does strongswan behave in this case ?

It will trigger a reauthentication, identical to Scenario 3.

Regards
Martin





More information about the Users mailing list