Hi all, We came across a problem during the last days which was causing us some headache and hope someone has an idea how to solve it.
We are running a VPN between a Linux system running strongswan 5.2.2 and a Juniper SRX system. The VPNs are being established "on traffic" meaning both peers are going to establish a VPN tunnel if there is traffic for the other side. An external event breaking the connection between the two peers (network outage, routing issue...) will lead to a situation where both peers are going to clear the SAs and start sending IKE-INIT messages to reestablish the tunnel. As the network connection is still broken these IKE-INITs are not being answered and both endpoints start retransmitting the packets due to their locally configured retransmission timers. If the network connection gets up during these retransmission intervals both peers will be able to complete the half-open SA negotiations, however we see from the logs that strongswan is going to delete the 2nd Child-SA pair immediately after establishment. This behavior is ok for us in general (and in line with what Martin described in https://lists.strongswan.org/pipermail/users/2013-September/005294.html) however in our case this leads to problems as strongswan only delete the 2nd Child-SA but keeps the corresponding IKE-SA. In our case we see that the Juniper system is retransmitting the IKE-INIT in a shorter interval than strongswan. That leads to a situation on which the tunnel initiated by Juniper gets established first and strongswan later deletes it's own the Child-SA. The Juniper system now tries to establish Child-SA by using this IKE-SA established by strongswan which again gets refused by strongswan. For us it seems that the Juniper system requires Child-SA established by the "latest established" IKE-SA which results in a kind of Create_Child_SA loop and a traffic outage until next IKE-SA rekeying. So in again in short the messages flow as we see it from logs and traces: - Firstly “Juniper as initiator” tunnel established. Tunnel is fine / traffic is fine. - now “strongwan as initiator” tunnel established. Immediately strongswan deletes Child SA of its own initiated tunnel - for outgoing traffic the SPI from the first Child SA is used by strongswan - in case of traffic from the Juniper to strongswan , Juniper sends CREATE_CHILD_SA request to create a Child-Sa on the strongswan initiated IKE-SA, traffic drops. - strongswan rejects this Child-SA request again, traffic stays down till next IKE-SA rekeying. I am wondering if strongswan behaves correctly in this case. Based on my understanding strongswan should either 1.- close the half-open SA and stop retransmitting the IKE-INIT if there is already an active SA or 2.- close both CHIlD-SA and IKE-SA if it detects double Child-SA pairs Is there any chance to achieve one of the two as mentioned above by configuration change? Or do you see it as a fault on the Juniper side? Looking forward to your comments. Thanks and best regards, Joern _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
