Hi Mirko, > * Charon on OpenWrt was unable to perform the MOBIKE address update; > eventually the IKE SA was destroyed and reestablished.
This issue has already been reported [1]. In your case the ongoing (but, due to unusable addresses, unsuccessful) DPD exchange blocks the MOBIKE task. Once the DPD exchange fails (after 5 retransmits) charon destroys the SA and tries to reestablish it. > * Both peers initiated an IKE SA and CHILD SAs based on these. > Why wasn't one of them deleted as a duplicate? > This issue showed up in about 50% of my experiments. If both peers initiate the same IKE_SA within a small time frame the duplicate can't be detected. Essentially, whenever the daemon processes and builds the IKE_AUTH response for the respective SAs concurrently. Regards, Tobias [1] http://wiki.strongswan.org/issues/193 _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
