[strongSwan] strongSwan - Juniper/Cisco IKEv1 interoperability

[Mihai Maties]

Hi,

What could be the reason for interoperability issues of strongSwan
with Cisco/Juniper devices that cause tunnels instability in IKEv1? I
keep seeing the same pattern with different devices and I find it
unlikely to be the other peer's fault.

Basically, what I see is:

1. IKE succesfully established
2. CHILD SAs created and used for a few minutes (<5)
3. the remote peer then sends some IKE messages to us
4. strongSwan ignores the requests completely
5. the remote peer sends a DELETE for the already established IKE session
6. strongSwan complies and deletes both the IKE and IPsec SAs
7. goto 1


Or a more detailed description of the issue:

Main Mode OK:  strongSwan (Init cookie I_1) -> Juniper (Resp cookie R_1)
Quick Mode OK: strongSwan (I_1) -> Juniper (R_1)
...
...a few minutes of ESP traffic flows, no other ISAKMP messages are
exchanged. No DPD requests/answers from either end...
...
Main Mode ??:  Juniper (I_X) -> strongSwan (R_X) (retransmitted a few times)
Main Mode ??:  Juniper (I_X) -> strongSwan (R_X)
Main Mode ??:  Juniper (I_X) -> strongSwan (R_X)
Main Mode ??:  Juniper (I_X) -> strongSwan (R_X)
Inf DELETE:    Juniper (I_1) -> strongSwan (R_1)

Note the I_X/R_X cookies from the ignored packets. They are not the
cookies for the active SAs, but maybe were used at some point in the
past.

As I said, since I encounter the same behavior whith both
Juniper/Cisco devices on the other end, it seems more likely to be an
issue with strongSwan.

Any ideas? I already tried changing uniqueids to all possible values,
but without any luck.


Best regards,
Mihai