[strongSwan] Message ID mismatch and SET_WINDOWS_SIZE and INVALID_MESSAGE_ID question
Sial Nije
sialnije at gmail.com
Thu Nov 26 23:02:27 CET 2015
Greetings,
I am running strongswan 5.3.2 talking to a Windows client.
At child_sa rekey time the Windows client always fires off 2 requests in
parallel,
one is keepalive and the other rekey_sa. Almost always the 2 messages arrive
in the wrong order and the connection must be torn down and re-negotiated
from start.
This is the log on strongswan side:
parsed INFORMATIONAL request 10 [ D ]
received message ID 10, expected 9. Ignored
parsed INFORMATIONAL request 11 [ ]
received message ID 11, expected 9. Ignored
. . .
The other vendor insisted the standard allows them to send out multiple
messages in parallel.
rfc7296 section 2.3 "Window Size for Overlapping Requests" states that a
peer can send out
multiple messages without waiting for reply if it had received a
SET_WINDOW_SIZE notification
and the size is greater than 1.
rfc7296 also states this:
The INVALID_MESSAGE_ID notification is sent when an IKE Message ID
outside the supported window is received. This Notify message
MUST NOT be sent in a response; the invalid request MUST NOT be
acknowledged...
Can strongswan development team confirm whether window size is greater than
1?
If strongswan never sends such notify message, how come there is not
INVALID_MESSAGE_ID
notification message? Is it optional?
Thanks
Simon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151126/ef2512ad/attachment.html>
More information about the Users
mailing list