[strongSwan] sa payload missing after reconnection, strongSwan v5.0.4 <> Cisco 3925 ASR v15.0(1)M3
Martin Willi
martin at strongswan.org
Fri May 17 09:23:53 CEST 2013
Hi Paul,
> 16[ENC] parsed QUICK_MODE request 3295287818 [ HASH SA No ID ID ]
> 16[ENC] generating QUICK_MODE response 3295287818 [ HASH SA No ID ID ]
> 02[ENC] parsed QUICK_MODE request 1762205300 [ HASH SA No ID ID ]
> 01[ENC] parsed QUICK_MODE request 3295287818 [ HASH ]
> 01[IKE] sa payload missing
> 14[IKE] integrity check failed
It looks like the Cisco box is establishing a second Quick Mode before
the first one has been completed.
charon currently can't handle that, and thinks the third Quick Mode
message is for the first Quick Mode, while it is actually for the
second. This of course brings the state machine out of sync, resulting
in the two errors.
I think we should extend charon to support multiple simultaneous Quick
Modes. This is not that trivial, though, and certainly requires some
time. As a work around, you might try to find out why the Cisco box
establishes a second Quick Mode, and how this can be avoided.
Regards
Martin
More information about the Users
mailing list