[strongSwan] After a failed CHILD_SA rekey, rekey attempt is being continuously done
noel at familie-kuntze.de
Fri Apr 25 13:10:15 CEST 2014
-----BEGIN PGP SIGNED MESSAGE-----
I'm sorry, I overlooked your email.
Charon could do that, but the case, that a peer sends a wrong SPI number, is really unlikely and hence was probably not catched.
Yes, charon should just abort rekeying, if the peer sends an error about rekeying.
The problem is with Juniper's firmware, but I think it got fixed lately.
I do not operate any Juniper boxes and only saw this issue on the mailing list here.
Looking through the archives probably yields a more precise explanation for this problem.
SPI numbers are used to identify different SAs between peers.
See RFC2041 for more details.
GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 25.04.2014 12:30, schrieb m.divya.mohan:
> Could you please help regarding this.
> - Divya
> ---- On Wed, 23 Apr 2014 22:00:36 -0700 m.divya.mohan wrote ----
>> Sorry, I did not understand how this could be an issue with Juniper.
>> Could you please elaborate on this.
>> When the rekey attempt fails, shouldn't charon delete this SA after a limited number of retries, instead of infinitely trying to rekey?
>> - Divya
>>> That is a known issue and is caused by certain Juniper firmwares returning wrong SPI numbers.
>>> To work around this issue, disable rekeying (rekey=no) and reauthenticate instead.
>>> Noel Kuntze
> Users mailing list
> Users at lists.strongswan.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the Users