[strongSwan] strongSwan - Juniper/Cisco IKEv1 interoperability
Mihai Maties
mihai at xcyb.org
Mon Nov 11 18:52:07 CET 2013
Hi,
What could be the reason for interoperability issues of strongSwan
with Cisco/Juniper devices that cause tunnels instability in IKEv1? I
keep seeing the same pattern with different devices and I find it
unlikely to be the other peer's fault.
Basically, what I see is:
1. IKE succesfully established
2. CHILD SAs created and used for a few minutes (<5)
3. the remote peer then sends some IKE messages to us
4. strongSwan ignores the requests completely
5. the remote peer sends a DELETE for the already established IKE session
6. strongSwan complies and deletes both the IKE and IPsec SAs
7. goto 1
Or a more detailed description of the issue:
Main Mode OK: strongSwan (Init cookie I_1) -> Juniper (Resp cookie R_1)
Quick Mode OK: strongSwan (I_1) -> Juniper (R_1)
...
...a few minutes of ESP traffic flows, no other ISAKMP messages are
exchanged. No DPD requests/answers from either end...
...
Main Mode ??: Juniper (I_X) -> strongSwan (R_X) (retransmitted a few times)
Main Mode ??: Juniper (I_X) -> strongSwan (R_X)
Main Mode ??: Juniper (I_X) -> strongSwan (R_X)
Main Mode ??: Juniper (I_X) -> strongSwan (R_X)
Inf DELETE: Juniper (I_1) -> strongSwan (R_1)
Note the I_X/R_X cookies from the ignored packets. They are not the
cookies for the active SAs, but maybe were used at some point in the
past.
As I said, since I encounter the same behavior whith both
Juniper/Cisco devices on the other end, it seems more likely to be an
issue with strongSwan.
Any ideas? I already tried changing uniqueids to all possible values,
but without any luck.
Best regards,
Mihai
More information about the Users
mailing list