[strongSwan] Some queries on behavior with respect to "NO_ADDITIONAL_SAS" & "UNSUPPORTED_CRITICAL_PAYLOAD"

Patil, Shashidhar 1. (NSN - IN/Bangalore) shashidhar.1.patil at nsn.com
Wed Mar 20 04:35:23 CET 2013


Hi Martin,

I'm awaiting your response regarding the "UNSUPPORTED_CRITICAL_PAYLOAD" query.
Meanwhile, I'm attaching the logs for your following query :
" Do you see in the log why strongSwan sends this second request for a new
IKE_SA? Is it a retransmit?"

BR,
Shashidhar


-----Original Message-----
From: ext Martin Willi [mailto:martin at strongswan.org] 
Sent: Friday, March 15, 2013 2:18 PM
To: Patil, Shashidhar 1. (NSN - IN/Bangalore)
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] Some queries on behavior with respect to "NO_ADDITIONAL_SAS" & "UNSUPPORTED_CRITICAL_PAYLOAD"

Hi,

> 1) A second IKE created by Strong Swan, even if there is only one IKE at the DUT configured.

> A REAUTH is initiated by DUT (Strong Swan) with an INFORMATIONAL message.
> The remote end (a IKEv2 emulator) sends the response with a delay of roughly 22 s
> In-between the Strong swan is sending a new IKE_SA_INIT request for a second IKE_SA

Do you see in the log why strongSwan sends this second request for a new
IKE_SA? Is it a retransmit?

I couldn't reproduce this here, at least not with the latests strongSwan
version.

> 2) An existing CHILD is not rekeyed, if there are two CHILDS at the rekey queue.

>        conn1[1]: Tasks queued: CHILD_REKEY CHILD_REKEY CHILD_REKEY CHILD_REKEY [...]

I remember that I recently fixed a bug that fixes queueing many rekey
tasks, likely that it fixes this issue. I haven't found the related
commit in a quick search, though.

> 3) An REAUTH is not immediately initiated, even an rekey of an existing CHILD is rejected with 'NO_ADDITONAL_SAS'.
> 4) How provoke 'UNSUPPORTED_CRITICAL_PAYLOAD' from the DUT.

strongSwan 4.5.3 is now almost two years old and many changes and fixes
are gone in since then. To avoid fixing things twice, I'd recommend you
to run your test suite against the latest release, it is likely that one
or the other issue has been fixed. Those fixes can be back-ported if you
require the 4.5.3 version. For those not fixed we can take a closer look
what the issue is and if it must be fixed.

Regards
Martin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 80.3-12_loglevel2.zip
Type: application/x-zip-compressed
Size: 8125 bytes
Desc: 80.3-12_loglevel2.zip
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130320/e8c93c7c/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ikev2_decryption_table_for_80.zip
Type: application/x-zip-compressed
Size: 5545 bytes
Desc: ikev2_decryption_table_for_80.zip
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130320/e8c93c7c/attachment-0001.bin>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: charon_logs.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130320/e8c93c7c/attachment.txt>


More information about the Users mailing list