[strongSwan] Windows StrongSwan cannot establish CHILD_SA due to CREATE_CHILD_SA kicks in every outbound packet.

Tobias Brunner tobias at strongswan.org
Tue Dec 15 11:13:36 CET 2015


> Since nobody answers me, I tested and here is something what I found. 

Noel already answered and pointed out the error here:

> 2015-11-28T08:42:56 13[KNL] setting WFP SA SPI failed: 0x80320035

Which means the IPsec SA is not properly installed.  If the IPsec
policies are installed successfully, though, then this could cause
acquires to get triggered as the kernel won't find the associated SA and
notifies the daemon, which will initiate another CREATE_CHILD_SA exchange.

> So I went back to version 5.2.1, and I see the tunnel just got brought
> up without issue.
> However from 5.3.0, Windows StrongSwan with IKEv2 tunneling is failing.

So it might help if you used `git bisect` to find the commit that causes
the failure.


More information about the Users mailing list