Hi,
I have a setup where i have a Linux Box (with Strongswan running on it)
connected to a Juniper Firewall Device. I have configured an IKE Tunnel
with 3 CHILD SAs under it. Now this is what happens:
1. Linux Box has a faster CHILD SA rekey time so it always triggers rekey.
2. All Rekey's are happening successfully
3. Suddenly at a random interval at 1 instance of Rekey, Juniper device
misbehaves. This is what happens:
3.a) Linux Sends Child SA Rekey message to Juniper
3.b) Juniper responds correctly with new SPI Values and the new SAD
Entry is created in SAD Table.
3.c) Now Linux Box(Strongswan Stack) sends INFO Message with Delete
Payload to delete the old SA.
3.d) For this Juniper responds INFO Delete message, however with
incorrect SPI Value. Because of this Linux box is not able to find a
matching SA and hence is not able to delete the old SA Entry from SAD Table.
3.e) After some time the Same Child SA expires and the Linux Box again
sends INFO Delete Message to which again Juniper responds with incorrect
SPI. Hence the SAD entry is never getting removed.
Query: Why is strongswan stack dependent on a successful response from peer
device to do the clean-up of an Expired SA. Shouldn't it clean-up the SAD
entry on its own, At least after n number of successful attempts? Not sure
what that "n" would be?
BR
Sajal
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
