[strongSwan] Behavior on receiving NO_ADDITIONAL_SAS
Patil, Shashidhar 1. (NSN - IN/Bangalore)
shashidhar.1.patil at nsn.com
Fri Mar 1 05:03:06 CET 2013
Thanks Martin for the response.
>>> It will trigger a reauthentication, identical to Scenario 3
But I think we are violating the following RFC clause here right ?
failed attempt to create a Child SA SHOULD NOT tear down the IKE SA: there is no reason to lose the work done to set up the IKE SA.
From: ext Martin Willi [mailto:martin at strongswan.org]
Sent: Thursday, February 28, 2013 5:30 PM
To: Patil, Shashidhar 1. (NSN - IN/Bangalore)
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] Behavior on receiving NO_ADDITIONAL_SAS
> Scenario-1--> No child SA allowed using CREATE_CHILD_SA (apart from the
> one created during the AUTH exchange) How does strongswan behave in
> this case ? will it delete the IKE and try to recreate the IKE & child
No. The CHILD_SA does not get created, but no further actions follow.
The existing IKE_SA and its child(ren) stay as they are.
There is a global strongswan.conf option called
charon.close_ike_on_child_failure, but this closes the IKE_SA only if
establishing the initial CHILD_SA fails during IKE_AUTH.
> Scenario-2--> Alreday <N> child SA are created and peer doesn't support
> N+1th child SA under the given IKE (is it possible to enforce such
strongSwan does not have such a limit.
> How does strongswan behave in this case ? will it delete the IKE and
> all the child SA under that IKE and try to recreate the IKE & child SAs
No, same behavior as in Scenario 1.
> Scenario-3--> Reject IKE rekeying request using CREATE_CHILD_SA from
> the peer How does strongswan behave in this case ? will it delete the
> IKE and all the child SA under that IKE and try to recreate the IKE &
> child SAs again?
Yes. If IKE_SA rekeying gets rejected, charon starts re-authentication.
This means it closes the IKE_SA with all CHILD_SAs, then recreates the
IKE_SA with all previously established CHILD_SAs.
> Scenario-4 --> In case of 1-IKE and multiple child-SA configuration, if
> the peer rejects the rekey request for any of child(ESP) SA with
> "NO_ADDITIONAL_SAS" How does strongswan behave in this case ?
It will trigger a reauthentication, identical to Scenario 3.
More information about the Users