<<ike.pcap>> Hi , This is regarding an issue with strongswan during ikev2 Phase1 rekey
I brought up ikev2 session using strongswan and our box ( remote access
IPSec session )
Here I am seeing an issue that whenever strongswan is configure to
initiate Phase1 rekey ( IKE_SA )
Strongswan is sending IKE delete message first ( as informational
exchange )then followed by SA Init
Due to this , each Phase1 rekey is like tearing down existing session
and setting up new one
But I think ike delete for old SA should be send only after new SA is
establish
Please correct me if I am wrong
This issue was not observed when we configure the other side gateway (
not strongswan ) we are using to initiate rekey
I tried two different versions of strongswan 4.2.9 and 4.4.0
If some one faced this issue and was able to solve, please let me know
I am pasting my ipsec.con file also for your reference
cat ipsec.conf
# basic configuration
config setup
strictcrlpolicy=no
plutostart=no
charonstart=yes
charondebug=all
klipsdebug=all
conn home
rekey=yes
ikelifetime=90s
keylife=800s
rekeymargin=20
keyexchange=ikev2
auth=esp
authby=psk
keyingtries=1
left=90.1.1.1
leftid=ik...@ic
leftsourceip=10.10.10.1
leftfirewall=no
right=15.1.1.1
#righti...@ic
rightid=%any
rightsubnet=69.0.0.1/24
pfs=yes
ike=aes128-sha1-modp1024
esp=aes128-sha1-modp1024
auto=add
( this file which I attached here is pcap during P1 rekey )
Thanks
Arun
ike.pcap
Description: Binary data
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
