[strongSwan] Message ID mismatch and SET_WINDOWS_SIZE and INVALID_MESSAGE_ID question
Tobias Brunner
tobias at strongswan.org
Fri Nov 27 10:29:01 CET 2015
Hi Simon,
> I am running strongswan 5.3.2 talking to a Windows client.
> At child_sa rekey time the Windows client always fires off 2 requests in
> parallel,
> one is keepalive and the other rekey_sa. Almost always the 2 messages arrive
> in the wrong order and the connection must be torn down and
> re-negotiated from start.
>
> This is the log on strongswan side:
>
> parsed INFORMATIONAL request 10 [ D ]
> received message ID 10, expected 9. Ignored
>
> parsed INFORMATIONAL request 11 [ ]
> received message ID 11, expected 9. Ignored
Even if these are two parallel exchanges, where is/was the request with
message ID 9? Was that lost?
> The other vendor insisted the standard allows them to send out multiple
> messages in parallel.
> rfc7296 section 2.3 "Window Size for Overlapping Requests" states that a
> peer can send out
> multiple messages without waiting for reply if it had received a
> SET_WINDOW_SIZE notification
> and the size is greater than 1.
That's correct, but strongSwan never sends that notify as it does not
support windows sizes greater than 1. So the vendor is wrong in doing this.
> rfc7296 also states this:
>
> The INVALID_MESSAGE_ID notification is sent when an IKE Message ID
> outside the supported window is received. This Notify message
> MUST NOT be sent in a response; the invalid request MUST NOT be
> acknowledged...
>
> Can strongswan development team confirm whether window size is greater
> than 1?
> If strongswan never sends such notify message, how come there is not
> INVALID_MESSAGE_ID
> notification message? Is it optional?
Yes, as the RFC states just after your quote above: "Sending this
notification is OPTIONAL, and notifications of this type MUST be rate
limited." strongSwan currently does not send them.
Regards,
Tobias
More information about the Users
mailing list