[strongSwan] Tunnel failing when rekeying

Dusan Ilic dusan at comhem.se
Tue May 16 17:43:12 CEST 2017


Hi Tobias, and thank you.

I have checked this and I have even deleted the IKE and ESP config on my 
end completely, and still it doesn't work after rekeying.

Any further suggestions?


Den 2017-05-12 kl. 08:11, skrev Tobias Brunner:
> Hi Dusan,
>
>> May 11 08:37:04 10[IKE] <azure|2> CHILD_SA azure{5} established with
>> SPIs cbf4ad11_i 25a1672e_o and TS 10.1.1.0/26 === 10.0.1.0/24
>> May 11 15:44:10 07[IKE] <azure|2> no acceptable proposal found
>> May 11 15:44:10 07[IKE] <azure|2> failed to establish CHILD_SA, keeping
>> IKE_SA
> Most likely a configuration mismatch.  One peer has only ESP proposals
> with DH group the other doesn't.  The problem is that with IKEv2 the DH
> groups are stripped from the proposals when the first CHILD_SA is
> established with the IKE_AUTH exchange (its keys are derived from the
> original key material that's also used for the IKE_SA) so you don't
> notice that immediately.  However, when rekeying or creating the SA with
> a CREATE_CHILD_SA exchange no proposal can be selected due to the
> mismatch.  There is a note about this issue in the description of the
> esp option in the ipsec.conf man page and the wiki [1].
>
> Regards,
> Tobias
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
>



More information about the Users mailing list