[strongSwan] After a failed CHILD_SA rekey, rekey attempt is being continuously done

Noel Kuntze noel at familie-kuntze.de
Fri Apr 25 13:10:15 CEST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Divya,

I'm sorry, I overlooked your email.
Charon could do that, but the case, that a peer sends a wrong SPI number, is really unlikely and hence was probably not catched.
Yes, charon should just abort rekeying, if the peer sends an error about rekeying.
The problem is with Juniper's firmware, but I think it got fixed lately.
I do not operate any Juniper boxes and only saw this issue on the mailing list here.
Looking through the archives probably yields a more precise explanation for this problem.
SPI numbers are used to identify different SAs between peers. 
See RFC2041 for more details.

Regards,
Noel Kuntze

GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 25.04.2014 12:30, schrieb m.divya.mohan:
> Hi,
> 
> Could you please help regarding this.
> 
> - Divya
> 
> ---- On Wed, 23 Apr 2014 22:00:36 -0700 m.divya.mohan  wrote ---- 
> 
>> Hi,
>>
>> Sorry, I did not understand how this could be an issue with Juniper.
>> Could you please elaborate on this.
>>
>> When the rekey attempt fails, shouldn't charon delete this SA after a limited number of retries, instead of infinitely trying to rekey?
>>
>> - Divya 
>>
>> --
>>> Hello,
>>>
>>> That is a known issue and is caused by certain Juniper firmwares returning wrong SPI numbers.
>>> To work around this issue, disable rekeying (rekey=no) and reauthenticate instead.
>>>
>>> Regards,
>>> Noel Kuntze
>>
>>
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTWkKXAAoJEDg5KY9j7GZYiVIP+QFm3HHpqKDMcQk5Uox5W9Kc
IJ5n8l6WGzF1Hl+Mm/BO8sq0JwTHBYzhTPf+bjJUU8Nr9jxFFxO2ptPwpYa+HHZe
fpNGolhrfXv48oGHpBg7tKis5P+PWcuIr/pVdYPjh8skw9Dwk3ZUnALIjrl2ni+i
r0BL8/JOQC2gvLCK2lMxAZGfi15445ICCkgKa0UuTkgqCyXfcnKe0JMNv5Buo0t1
86/eGYaSrAgRAqBoLoRd5B6+RF4OkdvAJ+nmUzINLyeIpmGNemRlEWZaVqK5TowU
KZjM34hQ74t0nmx4wYoBhF9Zj0HZPAgGYwjPI1+wBejA+xpGvqv3zim1osZcUz5F
DP38zkRJsCZjIIzKuO6YoAKEQi4Lyewa76CawbGmna8zhPVRW4VWgZjx/YCxxUQs
SB0CvgtfZvb/F65huMU7sIwNpEIcQKAItspwpJipxEjt8gD+LylBg+feUZ/eCRlD
HvuJuHGE3Nd54O84Tu978x9bhc3StKYg2JNNPxsPI73orlSk4j0PF8FwaWy6Z9qB
svlFS7Hdn59v5a9Rm2M+SQkXgbQw7LbBF8+LzzI2kY/F46EePQH7WCzplfeHCQNS
pXpfIadJujzKz6sU44kWxHITIc/2s+INIPYTcVVQANBy50fVk8wLk9ELQlBoYpC/
4DHzTZ9VI8ObTO7MDVVV
=G2H9
-----END PGP SIGNATURE-----


More information about the Users mailing list