[strongSwan] Renegotiation when SPI missing
Steffen Heise
foolix81-nerd at yahoo.de
Tue Nov 26 23:53:55 CET 2013
Hi Martin,
although it seems a bit constructed, I had exactly this situation last
week. I don't know how it came that the SPI on one side was missing, but
it was. I am running further tests at the moment to reproduce the issue.
Anyway, it turned out that when you have an IKE server and a roadwarrior
for example, the roadwarrior will indeed renegotiate a connection when
the SPI is missing, whereas the server won't. This seems reasonable in
the first place, because server would not start a keying sequence
normally, but I see no reason why it should not, when there is a
conneciton already (DPD packets and so on).
Regards,
Steffen
On 26.11.2013 10:14, Martin Willi wrote:
> Hi Steffen,
>
>> # ip xfrm state flush
>>
>> the connection got down immediately (of course). While I have
>> strongswan configured to use DPD I expected it to renegotiate
>> automatically, but it didn't.
>
> I think this test is somewhat constructed. Unless the admin explicitly
> deletes kernel state, this can't happen. If an SA expires, then the
> kernel raises an expire event, for which the daemon creates a fresh SA
> pair using rekeying.
>
> If you want to close an SA explicitly, do such changes over the IKE
> daemon (using the "ipsec" script). This way the IKE daemon knows about
> these changes as well. If you do this for a connection installed with
> auto=route, the daemon gets an acquire from the kernel and establishes a
> new CHILD_SA.
>
> Regards
> Martin
>
More information about the Users
mailing list