[strongSwan] CHILD SA and PFS

Thomas Egerer hakke_007 at gmx.de
Mon Aug 4 15:40:10 CEST 2014

Hi Emeric,

On 08/04/2014 10:11 AM, Emeric POUPON wrote:
> Hello,
> Thanks for your answer!
> You are right, the initial CHILD_SA is negociated during the IKE_AUTH exchange.
> I do see a rekey of the CHILD_SA, and there is indeed a PFS included.
> However, there is a questionable situation in the case the initiator and the responder sides do not share the same 'esp' PFS group (I set the initiator's lifetime to 3m for testing purposes)
> - The first CHILD_SA is created on both sides using IKE_AUTH.
> - When the rekey occurs, the responder tells the initiator that no suitable proposal has been chosen. Furthermore the responder keeps the current IKE and CHILD SAs.
> - The initiator then shows a 'rekeing active' status but its SA ends up killed by the kernel.
> - The initiator has to wait for the IKE SA rekey to get the CHILD SA up again.
If initiator and responder do not share any PFS group,
what would you expect the IKE-daemon to do? This is a
broken configuration which only happens to work since
the first CHILD_SA is established piggy-bagging the
IKE_AUTH exchange.


More information about the Users mailing list