[strongSwan] Behavior on receiving NO_ADDITIONAL_SAS

Patil, Shashidhar 1. (NSN - IN/Bangalore) shashidhar.1.patil at nsn.com
Fri Mar 1 05:03:06 CET 2013 

Thanks Martin for the response.

>>> It will trigger a reauthentication, identical to Scenario 3
But I think we are violating the following RFC clause here right ?

failed attempt to create a Child SA SHOULD NOT tear down the IKE SA: there is no reason to lose the work done to set up the IKE SA.

-----Original Message-----
From: ext Martin Willi [mailto:martin at strongswan.org] 
Sent: Thursday, February 28, 2013 5:30 PM
To: Patil, Shashidhar 1. (NSN - IN/Bangalore)
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] Behavior on receiving NO_ADDITIONAL_SAS

Hi,

> Scenario-1--> No child SA allowed using CREATE_CHILD_SA (apart from the
> one created during the AUTH exchange) How does strongswan behave in
> this case ? will it delete the IKE and try to recreate the IKE & child
> again?

No. The CHILD_SA does not get created, but no further actions follow.
The existing IKE_SA and its child(ren) stay as they are.

There is a global strongswan.conf option called
charon.close_ike_on_child_failure, but this closes the IKE_SA only if
establishing the initial CHILD_SA fails during IKE_AUTH.

> Scenario-2--> Alreday <N> child SA are created and peer doesn't support
> N+1th child SA under the given IKE  (is it possible to enforce such
> restriction?)

strongSwan does not have such a limit.

> How does strongswan behave in this case ? will it delete the IKE and
> all the child SA under that IKE and try to recreate the IKE & child SAs
> again?

No, same behavior as in Scenario 1.

> Scenario-3--> Reject IKE rekeying request using CREATE_CHILD_SA from
> the peer How does strongswan behave in this case ? will it delete the
> IKE and all the child SA under that IKE and try to recreate the IKE &
> child SAs again?

Yes. If IKE_SA rekeying gets rejected, charon starts re-authentication.
This means it closes the IKE_SA with all CHILD_SAs, then recreates the
IKE_SA with all previously established CHILD_SAs.

> Scenario-4 --> In case of 1-IKE and multiple child-SA configuration, if
> the peer rejects the rekey request for any of child(ESP) SA with
> "NO_ADDITIONAL_SAS" How does strongswan behave in this case ?

It will trigger a reauthentication, identical to Scenario 3.

Regards
Martin

More information about the Users mailing list