Hi, > First one ikev2 child SA is eshtablished after IKE_SA_INIT an IKE_AUTH > exchanges.Now A second Child SA created by sending CREATE_CHILD_SA > request. > Then this application times out the first child SA and expects a REKEY > request for the first CHILD SA.BUT when two child sa gets eshtablished > the keylife of both the Child SA's gets approximately same.And > Strongswan sends rekey request for both of them. Now this software > sends one CREATE_CHILD_SA (rekey response) message.But in Strongswan's > side it shows MAC Authentication failed( in var/log/charon.log).And it > drops the packet.
Hard to say what's going wrong. Are you sure these CREATE_CHILD_SA messages are for CHILD_SAs, not for IKE_SAs? Is it possible to reproduce the issue while rekeying just a single CHILD_SA? strongSwan has been tested against many implementations, but I've never seen this issue with CHILD_SA rekeying. Should your application support that rekeying scenario you describe above? > Is there any limitations on creating more than two Child SAs for the > same IKE SA. Or is there any known issue on strongswan > about creating more than one Child SA or rekeying. No. Regards Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
