Hi all, My network looks like this:
[My Host(Strongswan)]----[Security GW]-----[Peer Host] My Host(Strongswan) communicates with Peer Host. My Host is installed Strongswan 4.4.1 on Linux2.6.19. The trouble is occurred, as following sequence. Strongswan Security GW | | | Network trouble occurred. | IKE_SA and CHILD_SA are closed by DPD. | | ==================================== | | | | |----------IKE_INIT(A)---> X | Strongswan initiates IKE Sequence. | | Security GW doesn't receive IKE_INIT (due to congestion). | | |<---------IKE_INIT(SA#1)----------| Security GW initiates IKE Sequence. |----------IKE_INIT(SA#1)--------->| IKE_SA(SA#1) is established. |<---------IKE_AUTH(SA#1)----------| |----------IKE_AUTH(SA#1)--------->| CHILD_SA(#1) is established. | | |----------IKE_INIT(SA#2)--------->| Strongswan retransmissions for IKE_INIT(A)(I-Cookie is same as IKE_INIT(A).) |<---------IKE_INIT(SA#2)----------| |----------IKE_AUTH(SA#2)--------->| |<---------IKE_AUTH(SA#2)----------| IKE_SA(SA#2) is established. | | but Security Gateway releases IKE_SA(SA#1), | | because IKE_SA is established between same peer(Strongswan). |-------IKE Information(SA#1)----->| for KeepAlive. | | but Security Gateway does not response, | | Because Security Gateway doesn't have IKE_SA(SA#1). | | |-------IKE Information(SA#1)----->| Strongswan retries KeepAlive at n times. | | after Strongswan detects DPD, Strongswan releases IKE_SA(SA#1). | | |----------IKE_INIT(SA#3)--------->| Strongswan starts IKE sequence, because IKE_SA(SA#1) down. The most serious problem is that Strongswan would repeat sequence of IKE SA setup and release. I hope that Strongswan does not start IKE sequence, if IKE_SA is established between same Security Gateway. (I hope that the number of IKE_SA in between Strongswan and one Security Gateway is only one, if I use DPD and set dpdaction = restart.) do you have any Resolution? Thanks for help. Best regards, Tetsuya _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users