[strongSwan] Tunnel failing when rekeying

Tobias Brunner tobias at strongswan.org
Fri May 12 08:11:46 CEST 2017

Hi Dusan,

> May 11 08:37:04 10[IKE] <azure|2> CHILD_SA azure{5} established with 
> SPIs cbf4ad11_i 25a1672e_o and TS ===
> May 11 15:44:10 07[IKE] <azure|2> no acceptable proposal found
> May 11 15:44:10 07[IKE] <azure|2> failed to establish CHILD_SA, keeping 

Most likely a configuration mismatch.  One peer has only ESP proposals
with DH group the other doesn't.  The problem is that with IKEv2 the DH
groups are stripped from the proposals when the first CHILD_SA is
established with the IKE_AUTH exchange (its keys are derived from the
original key material that's also used for the IKE_SA) so you don't
notice that immediately.  However, when rekeying or creating the SA with
a CREATE_CHILD_SA exchange no proposal can be selected due to the
mismatch.  There is a note about this issue in the description of the
esp option in the ipsec.conf man page and the wiki [1].


[1] https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection

More information about the Users mailing list