[strongSwan] IKE_SA rekey happening without CREATE_CHILD_SA packet?

Martin Willi martin at strongswan.org
Wed Apr 30 15:22:00 CEST 2014

Hi Divya,

> Subsequent packets uses these cookies, till an IKE_SA rekey happens at
> packet #53, in CREATE_CHILD_SA.

> My understanding is that the cookie values should change only when
> IKE_SA rekey happens, in a CREATE_CHILD_SA packet. 

The CREATE_CHILD_SA exchange to rekey an IKE_SA takes place under the
old IKE_SA. Hence the CREATE_CHILD_SA exchange, and the following
INFORMATIONAL exchange to delete the old IKE_SA, both use the SPIs of
the old IKE_SA (under IKEv2 we name these SPIs, COOKIE has a different
meaning with IKEv2).

The SPIs of the new IKE_SA are used for any subsequent exchanges on the
new IKE_SA, whatever that is. Most likely it is a INFORMATIONAL exchange
for DPD checking.

Refer to RFC 5996 for more details how IKE_SA rekeying works.


More information about the Users mailing list