[strongSwan] deleting child_SA when adding a new connection

Fabrice Barconnière fabrice.barconniere at ac-dijon.fr
Fri Nov 25 10:23:21 CET 2016

Hello strongSwan users, and devs,

I'm using strongSwan 5.1.2-0ubuntu2.5 an 5.3.5-1ubuntu3 on Ubuntu 14.04
and 16.04.
On the first host, i configure a new connection and execute ipsec
rereadall + ipsec update.
ipsec statusall display "new_connection[1]: IKEv2 SPIs:
8fedd5e6b1824640_i* 0000000000000000_r" (because second host not configured)

On the second host, i configure the new connection with the first host.
When starting strongswan on the second host, the connection comes up and
is OK but the child is deleted a few seconds later. IKE_SA stays up.
If i set uniqueids to no, the old IKE_SA stays up and a new IKE_SA is
created with a new child.

I can see it in log file.

Second host :
charon: 14[IKE] deleting duplicate IKE_SA for peer 'C=...., CN=......'
due to uniqueness policy
charon: 14[IKE] deleting IKE_SA new_connection[1] between[C=....., CN=.....]...[C=......, CN=.....]
charon: 22[IKE] unable to install IPsec policies (SPD) in kernel
charon: 22[IKE] failed to establish CHILD_SA, keeping IKE_SA
charon: 04[KNL] deleting policy ....... failed, not found

First host :
charon: 23[IKE] received TS_UNACCEPTABLE notify, no CHILD_SA built
charon: 23[IKE] failed to establish CHILD_SA, keeping IKE_SA
charon: 29[IKE] received AUTH_LIFETIME of 9896s, scheduling
reauthentication in 9356s

Is it a known issue ? I see this bug report in strongSwan Redmine :

Fabrice Barconnière
Pôle logiciels libres - EOLE

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161125/d4c22591/attachment.sig>

More information about the Users mailing list