[strongSwan] Some queries on behavior with respect to "NO_ADDITIONAL_SAS" & "UNSUPPORTED_CRITICAL_PAYLOAD"

Patil, Shashidhar 1. (NSN - IN/Bangalore) shashidhar.1.patil at nsn.com
Fri Mar 15 11:57:44 CET 2013

Thanks Martin for the inputs.
I'll get back to you on your queries.

> 4) How provoke 'UNSUPPORTED_CRITICAL_PAYLOAD' from the DUT.
Here we want to know how the peer sec-GW can provoke the strongswan on our device to send the 'UNSUPPORTED_CRITICAL_PAYLOAD'

-----Original Message-----
From: ext Martin Willi [mailto:martin at strongswan.org] 
Sent: Friday, March 15, 2013 2:18 PM
To: Patil, Shashidhar 1. (NSN - IN/Bangalore)
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] Some queries on behavior with respect to "NO_ADDITIONAL_SAS" & "UNSUPPORTED_CRITICAL_PAYLOAD"


> 1) A second IKE created by Strong Swan, even if there is only one IKE at the DUT configured.

> A REAUTH is initiated by DUT (Strong Swan) with an INFORMATIONAL message.
> The remote end (a IKEv2 emulator) sends the response with a delay of roughly 22 s
> In-between the Strong swan is sending a new IKE_SA_INIT request for a second IKE_SA

Do you see in the log why strongSwan sends this second request for a new
IKE_SA? Is it a retransmit?

I couldn't reproduce this here, at least not with the latests strongSwan

> 2) An existing CHILD is not rekeyed, if there are two CHILDS at the rekey queue.

>        conn1[1]: Tasks queued: CHILD_REKEY CHILD_REKEY CHILD_REKEY CHILD_REKEY [...]

I remember that I recently fixed a bug that fixes queueing many rekey
tasks, likely that it fixes this issue. I haven't found the related
commit in a quick search, though.

> 3) An REAUTH is not immediately initiated, even an rekey of an existing CHILD is rejected with 'NO_ADDITONAL_SAS'.
> 4) How provoke 'UNSUPPORTED_CRITICAL_PAYLOAD' from the DUT.

strongSwan 4.5.3 is now almost two years old and many changes and fixes
are gone in since then. To avoid fixing things twice, I'd recommend you
to run your test suite against the latest release, it is likely that one
or the other issue has been fixed. Those fixes can be back-ported if you
require the 4.5.3 version. For those not fixed we can take a closer look
what the issue is and if it must be fixed.


More information about the Users mailing list