Hi James, > It should be noted that I had tested the same setup with the > configuration option 'reauth=no' previously for 5 days without such a > situation appearing. I then removed this option and after 2 days of > testing I had the problem described above.
It is hard to say what ultimately lead to the second CHILD_SA, but that reauthentication is involved is certainly possible. Reauthentication is actually a kludge in IKEv2, as it just reestablished the IKE and all CHILD_SAs from scratch. There are situations that are hard to handle, for example if one peer re-authenticates while to other rekeys a CHILD_SA. Another problem arises if, for example, a trap policy (auto=route) triggers while the remote end has closed the IKE_SA just before recreating it during re-authentication. I usually recommend to set reauth=no, as it is just not required for most setups to re-evaluate credentials. If it is in your setup, you might consider having rekey/reauth times that always the same peer initiates the reauthentication/rekeying. This certainly can help in avoiding the issue you have seen. Regards Martin _______________________________________________ Dev mailing list Dev@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/dev
