Hi, > 10[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built > 10[IKE] CHILD_SA rekeying failed, trying again in 24 seconds
> Hence, is sending notify payload (no proposal chosen) not treated as > failure for rekey attempt? NO_PROPOSAL_CHOSEN usually indicates a permanent error, yes, but there are corner cases where a retry makes sense. RFC 5996 defines a TEMPORARY_FAILURE to indicate that rekeying is currently not possible (most likely because of an exchange collision), and the peer should try again. Before RFC 5996, there was no such specific notify, and NO_PROPOSAL_CHOSEN was used. We ourself still use a NO_PROPOSAL_CHOSEN notify in some of these situations. I think we should update to the new RFC 5996 notifies, but we haven't done this yet. > "If an SA has expired or is about to expire and rekeying attempts > using the mechanisms described here fail, an implementation MUST close > the IKE_SA and any associated CHILD_SAs and then MAY start new ones." Another reason for retrying is that the responder might have updated the configuration (for example, due to manual intervention). The hard SA lifetime still applies, and the SA gets deleted once expired. So I think we are fine with the above paragraph. Regards Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
