[strongSwan] Handling of overlapping tunnel establishment

Joern Mewes joern.mewes at gmx.net
Thu Jul 30 16:58:13 CEST 2015

Hi all,

Apologies for bothering you again with this but does anyone of you has
an idea how to address the interoperability problem I was describing
in my earlier email?

Just to avoid reading my former (quite long) email) let me summarize
the problem again

- We have an existing VPN between strongswan 5.2.2 and a Juniper SRX
- The connection breaks due to an external event, SAs get cleared on
both sides due to DPD
- Both peers start sending IKE-INITS as there is traffic for the tunnel
- Network is still down both peers start retransmitting the IKE-INIT
- The Connection recovers
- Firstly “Juniper as initiator” tunnel established. Tunnel is fine /
traffic is fine
- now “strongwan as initiator” tunnel established. Immediately
strongswan deletes Child SA of its own initiated tunnel
- for outgoing traffic the SPI from the first Child SA is used by strongswan
- Juniper sends CREATE_CHILD_SA request to create a Child-Sa on the
strongswan initiated IKE-SA, traffic drops.
- strongswan rejects this Child-SA request again and again, traffic
stays down till next SA rekeying.

Is there any chance to force strongswan to either:

1.- close the half-open SA and stop retransmitting the IKE-INIT if
there is already an active SA or a this particular connection
2.- close both CHIlD-SA and IKE-SA if it detects double Child-SA pairs

Looking forward to any idea helping to solve this issue.

Thanks and have a nice day


More information about the Users mailing list