[strongSwan] After a failed CHILD_SA rekey, rekey attempt is being continuously done

Noel Kuntze noel at familie-kuntze.de
Wed Apr 23 09:40:56 CEST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

That is a known issue and is caused by certain Juniper firmwares returning wrong SPI numbers.
To work around this issue, disable rekeying (rekey=no) and reauthenticate instead.

Regards,
Noel Kuntze

GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 23.04.2014 07:29, schrieb m.divya.mohan:
> 
> 
> Hi,
> 
> I have established an IPSec tunnel: Charon daemon (strongSwan 4.3.6)
> <===> Juniper.
> IKE lifetime is 7200s and IPSec lifetime is 3600s on both sides.
> 
> As seen from the logs, CHILD_SA cd2a4522_i was created around time 06:37.
> At time 07:37, rekeying was attempted and this failed, and this is
> being re-tried.
> 
> I could see that even after 12 hours (at 13:38), the rekeying attempt
> is still going on.
> Juniper rejects rekeying with error 'SPI does not exist'.
> Is this expected, or will the rekey attempt be stopped after some time-limit?
> 
> Charon logs:
> ------------
> 
> Apr 16 06:37:42.942929 info charon: 06[IKE] establishing CHILD_SA
> rule1518~vpn1518{1002}
> Apr 16 06:37:42.944609 info charon: 15[IKE] CHILD_SA
> rule1518~vpn1518{1002} established with SPIs cd2a4522_i a17a92e1_o and
> TS (vr13)172.16.218.0/30 === (vr13)172.17.218.0/30
> Apr 16 06:37:42.954428 info charon: 14[IKE] CHILD_SA
> rule1518~vpn1518{1002} established with SPIs ce1b6e0d_i 06780df7_o and
> TS (vr13)172.16.218.0/30 === (vr13)172.17.218.0/30
> Apr 16 06:37:42.954509 info charon: 14[IKE] CHILD_SA rekey collision
> won, deleting rekeyed child
> Apr 16 06:37:42.954755 info charon: 14[IKE] closing CHILD_SA
> rule1518~vpn1518{1002} with SPIs cfa83e0c_i (168168 bytes) f76cd093_o
> (106106 bytes) and TS (vr13)172.16.218.0/30 === (vr13)172.17.218.0/30
> Apr 16 06:37:42.954885 info charon: 14[IKE] sending DELETE for ESP
> CHILD_SA with SPI cfa83e0c
> Apr 16 06:37:42.959655 info charon: 10[IKE] received DELETE for ESP
> CHILD_SA with SPI f76cd093
> Apr 16 06:37:42.959733 info charon: 10[IKE] CHILD_SA closed
> 
> Apr 16 07:37:15.198137 info charon: 07[IKE] establishing CHILD_SA
> rule1518~vpn1518{1002}
> Apr 16 07:37:15.203829 info charon: 14[IKE] received
> NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
> Apr 16 07:37:15.203907 info charon: 14[IKE] CHILD_SA rekeying failed,
> trying again in 25 seconds
> Apr 16 07:37:19.130609 info charon: 15[IKE] establishing CHILD_SA
> rule1518~vpn1518{1002}
> Apr 16 07:37:19.137202 info charon: 01[IKE] received
> NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
> Apr 16 07:37:19.137282 info charon: 01[IKE] CHILD_SA rekeying failed,
> trying again in 22 seconds
> 
> Apr 16 13:38:08.101963 info charon: 02[IKE] establishing CHILD_SA
> rule1518~vpn1518{1002}
> Apr 16 13:38:08.111196 info charon: 12[IKE] received
> NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
> Apr 16 13:38:08.111275 info charon: 12[IKE] CHILD_SA rekeying failed,
> trying again in 28 seconds
> 
> Juniper logs:
> -------------
> 
> [Apr 16 13:37:10]iked_pm_ike_spd_notify_received: Received
> authenticated notification payload Rekey SA from local:192.168.218.2
> remote:192.168.218.1 IKEv2 for P1 SA 1429728
> [Apr 16 13:37:10]ikev2_decode_packet: [9075400/9067c00] Received
> packet: HDR, N(REKEY_SA), SA, Nonce, TSi, TSr
> [Apr 16 13:37:10]outbound SPI 0xcd2a4522 does not exist for rekey
> case. Dropping rekey request
> [Apr 16 13:37:10]ikev2_reply_cb_child_resp_ipsec_spi_allocate:
> [9075400/9067c00] Error: IPsec SA allocate failed: 14
> [Apr 16 13:37:10]ikev2_state_error: [9075400/9067c00] Negotiation
> failed because of error No proposal chosen (14)
> 
> 
> - Divya
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTV26IAAoJEDg5KY9j7GZYOuAP/RfSvHES45iewW2kq1JMo639
HSpWpvSaCnYJU/+xnfIcT8WjnbftWi6r+0+kRWg5T1uHRbc2VZQ2yXzrunO47yqi
RROW/ol5buHptjqixaDWT52f1NlDpJMJQhw8ozutvL9pPNC2jZNPkWW0rjQT3LPx
MjJq7LJE9xA80t1ZfZ1RunLJgX48oG5MCCW+/uOZ+Q5e33qFI1jOQkM6bLwiTB5s
aRWeHfg35XjCXDv+K1qi3DbNrd0hhOx9p/d7hR/9OwFpOw27opytIL2D8/X5vO51
R8NaKumg8b8kNief3xuowchr86Dpptp962QOJK0oRlt3LCRMFWk3B0P+nowxac/y
5dVC9ntPOgE6bNHzCNMbzbQGXVLKCOVNKSmoSxWlyzCv+8DH+W8gAZUU7j3wCIQo
29+zqbJUSGQoXEDvJhYbDKe+/5S+IzyvgHfyORsXmECNmpFMZ8KP/zb4RATmuOtK
9SAGsrPg1GNeTMCzxAbKeWYKoaiY3zq9jKyAecJIku6FwKk6mkN3xQzI6KHhtWer
XPNAbjlH/xkJ+gTqvykoXHs/JrPACmCHZPpU42H5MYXTU+iJy652BchaUvu4rIzZ
ffVfZ11Spi9Z4uSxPfJp1/ZG3KcaDMyhXeJwHUfL6nr2f+qK8wq2yBLVMppqXRr1
7p+XDD3momLosATuHIwv
=CY/I
-----END PGP SIGNATURE-----


More information about the Users mailing list