[strongSwan] After a failed CHILD_SA rekey, rekey attempt is being continuously done

m.divya.mohan m.divya.mohan at zoho.com
Wed Apr 23 07:29:44 CEST 2014



Hi,

I have established an IPSec tunnel: Charon daemon (strongSwan 4.3.6)
<===> Juniper.
IKE lifetime is 7200s and IPSec lifetime is 3600s on both sides.

As seen from the logs, CHILD_SA cd2a4522_i was created around time 06:37.
At time 07:37, rekeying was attempted and this failed, and this is
being re-tried.

I could see that even after 12 hours (at 13:38), the rekeying attempt
is still going on.
Juniper rejects rekeying with error 'SPI does not exist'.
Is this expected, or will the rekey attempt be stopped after some time-limit?

Charon logs:
------------

Apr 16 06:37:42.942929 info charon: 06[IKE] establishing CHILD_SA
rule1518~vpn1518{1002}
Apr 16 06:37:42.944609 info charon: 15[IKE] CHILD_SA
rule1518~vpn1518{1002} established with SPIs cd2a4522_i a17a92e1_o and
TS (vr13)172.16.218.0/30 === (vr13)172.17.218.0/30
Apr 16 06:37:42.954428 info charon: 14[IKE] CHILD_SA
rule1518~vpn1518{1002} established with SPIs ce1b6e0d_i 06780df7_o and
TS (vr13)172.16.218.0/30 === (vr13)172.17.218.0/30
Apr 16 06:37:42.954509 info charon: 14[IKE] CHILD_SA rekey collision
won, deleting rekeyed child
Apr 16 06:37:42.954755 info charon: 14[IKE] closing CHILD_SA
rule1518~vpn1518{1002} with SPIs cfa83e0c_i (168168 bytes) f76cd093_o
(106106 bytes) and TS (vr13)172.16.218.0/30 === (vr13)172.17.218.0/30
Apr 16 06:37:42.954885 info charon: 14[IKE] sending DELETE for ESP
CHILD_SA with SPI cfa83e0c
Apr 16 06:37:42.959655 info charon: 10[IKE] received DELETE for ESP
CHILD_SA with SPI f76cd093
Apr 16 06:37:42.959733 info charon: 10[IKE] CHILD_SA closed

Apr 16 07:37:15.198137 info charon: 07[IKE] establishing CHILD_SA
rule1518~vpn1518{1002}
Apr 16 07:37:15.203829 info charon: 14[IKE] received
NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Apr 16 07:37:15.203907 info charon: 14[IKE] CHILD_SA rekeying failed,
trying again in 25 seconds
Apr 16 07:37:19.130609 info charon: 15[IKE] establishing CHILD_SA
rule1518~vpn1518{1002}
Apr 16 07:37:19.137202 info charon: 01[IKE] received
NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Apr 16 07:37:19.137282 info charon: 01[IKE] CHILD_SA rekeying failed,
trying again in 22 seconds

Apr 16 13:38:08.101963 info charon: 02[IKE] establishing CHILD_SA
rule1518~vpn1518{1002}
Apr 16 13:38:08.111196 info charon: 12[IKE] received
NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Apr 16 13:38:08.111275 info charon: 12[IKE] CHILD_SA rekeying failed,
trying again in 28 seconds

Juniper logs:
-------------

[Apr 16 13:37:10]iked_pm_ike_spd_notify_received: Received
authenticated notification payload Rekey SA from local:192.168.218.2
remote:192.168.218.1 IKEv2 for P1 SA 1429728
[Apr 16 13:37:10]ikev2_decode_packet: [9075400/9067c00] Received
packet: HDR, N(REKEY_SA), SA, Nonce, TSi, TSr
[Apr 16 13:37:10]outbound SPI 0xcd2a4522 does not exist for rekey
case. Dropping rekey request
[Apr 16 13:37:10]ikev2_reply_cb_child_resp_ipsec_spi_allocate:
[9075400/9067c00] Error: IPsec SA allocate failed: 14
[Apr 16 13:37:10]ikev2_state_error: [9075400/9067c00] Negotiation
failed because of error No proposal chosen (14)


- Divya



More information about the Users mailing list