[strongSwan] Aggressive Mode. Rekeying fails

Gerald Richter - ECOS richter at ecos.de
Tue Mar 12 10:31:56 CET 2013

Hi Martin,

as we know specs are the one side and Cisco is the other side...

One could argue that the " ISAKMP SA that was used to secure the request" does not expire, but is renewed, also I am aware that this is not the strict interpretation.

Since the rekeying fails in the mode_config state, I would like to test, if it goes through if we do not request a new ip. 

Is there any chance in the xauth/mode_config code to distinguish between an initial key exchange and a rekeying. If yes, how? If you could give me a hint, I would create a patch and see if this changes anything.

Thanks & Regards


> -----Ursprüngliche Nachricht-----
> Von: Martin Willi [mailto:martin at strongswan.org]
> Gesendet: Dienstag, 12. März 2013 10:09
> An: Gerald Richter - ECOS
> Cc: users at lists.strongswan.org
> Betreff: Re: AW: [strongSwan] Aggressive Mode. Rekeying fails
> Hi Gerald,
> > The IKE Rekeying succeeds, but afterwards it gets stuck within a
> > mode_config request. I don't think there should be a mode_config
> > request during rekeying or I am wrong?
> strongSwan binds an INTERNAL_IPx_ADDRESS to the ISAKMP_SA, so it valid
> only during the lifetime of an ISAKMP_SA. This implies that IKE rekeying (or
> better, re-authentication) re-negotiates virtual IPs.
> It is not fully clear to me what is the correct behavior, but
> draft-dukes-ike-mode-cfg-02 says:
> > The requested address is valid until the expiry time defined with the
> > INTERNAL_ADDRESS EXPIRY attribute or until the ISAKMP SA that was used
> > to secure the request expires.
> Regards
> Martin

More information about the Users mailing list