[strongSwan] rekeying IKEv2 SA

Tobias Brunner tobias at strongswan.org
Mon Jul 3 12:13:09 CEST 2017


Hi Mike,

> It says "configured DH group CURVE_25519 not supported".  But of course it does
> not have this error upon initially establishing the IKEv2 SA and all works well until
> it is time to rekey.

Very odd.  The code path there is the same initially and during the
rekeying.  So it either should fail both times, or not at all (at least
if it uses curve25519 initially too, which should get rejected by the
server with an INVALID_KE_PAYLOAD notify, and modp1024 should then be
used).  No idea why it suddenly would fail to create such an instance.

> Again, the end result is that if I decrypt the packets with Wireshark I see  that
>  StrongSwan sends an empty (except for padding) CREATE_CHILD_SA
> request when it attempts to rekey and I guess that is obviously due to the error with the DH
> group.

Yes, the exchange is not aborted (the ike_rekey task currently ignores
the result of the ike_init task's build() method).

Regards,
Tobias


More information about the Users mailing list