[strongSwan] sa payload missing after reconnection, strongSwan v5.0.4 <> Cisco 3925 ASR v15.0(1)M3
Paul Theodoropoulos
paul at anastrophe.com
Fri May 17 19:18:28 CEST 2013
On 5/17/13 12:23 AM, Martin Willi wrote:
> Hi Paul,
> 16[ENC] parsed QUICK_MODE request 3295287818 [ HASH SA No ID ID ]
> 16[ENC] generating QUICK_MODE response 3295287818 [ HASH SA No ID ID ]
> 02[ENC] parsed QUICK_MODE request 1762205300 [ HASH SA No ID ID ]
> 01[ENC] parsed QUICK_MODE request 3295287818 [ HASH ]
> 01[IKE] sa payload missing
> 14[IKE] integrity check failed
> It looks like the Cisco box is establishing a second Quick Mode before
> the first one has been completed.
>
> charon currently can't handle that, and thinks the third Quick Mode
> message is for the first Quick Mode, while it is actually for the
> second. This of course brings the state machine out of sync, resulting
> in the two errors.
>
> I think we should extend charon to support multiple simultaneous Quick
> Modes. This is not that trivial, though, and certainly requires some
> time. As a work around, you might try to find out why the Cisco box
> establishes a second Quick Mode, and how this can be avoided.
>
> Regards
> Martin
Thanks for the reply Martin. I've inquired with the VZW folks regarding
this. I've narrowed down the window during which this happens: if the
attempt to re-establish a connection occurs between zero and fifteen
seconds, it will re-establish fine. Likewise if the attempt occurs
*after* about 75 seconds, it will re-establish fine. but during the
interval :15 to 1:15, this syndrome will occur repeatedly - though
succeeding attempts after a failed attempt without waiting the 75
seconds will simply keep repeating that 'No proposal chosen' with IKE
established but not the ESP session. It's not an end of the world
situation, but having to put a delay timer in the ipsec startup script
is less than ideal.
--
Paul Theodoropoulos
www.anastrophe.com
More information about the Users
mailing list