[strongSwan] turning off ikev1 reauthentication initiation from responder

SM K sacho.polo at gmail.com
Tue Aug 25 06:46:26 CEST 2015


Is there a way to turn off IKEv1 reauthentication from strongswan when it
is a responder? We tried using reauth=no, but it does not work as expected.

We have a setup where some junipers (SRX and SSG) initiate an ikev1 tunnel
to a strongswan responder. We are seeing issues during reauthentication of
Phase1. At least one issue happens when strongswan initiates the
reauthentication and fails to setup the phase1. When this happens, it seems
that strongswan is sending the DPD requests over the failed tunnel and
since DPD responses do not come back from Junipers, DPD action is enforced
and all phase2s are cleared. The Juniper however thinks the Phase 2s are
still active and keep sending ESP packets which are dropped by the kernel.
This happens until Junipers DPD kicks in and clears the SAs. However, if
the DPD is not setup on Juniper or is long, the traffic is stopped forever
(or for a long time).

We do not want strongswan to reauthenticate. We want it to only respond to
reauthentication from the peer. Using reauth=no seemed to work only when
the reauth was disabled on the Juniper. However if Juniper is configured
with X seconds, then I see a log line in strongswan's logs saying
"rescheduling reauthentication in X seconds"

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150824/93d77c96/attachment.html>

More information about the Users mailing list