Hi all, Apologies for bothering you again with this but does anyone of you has an idea how to address the interoperability problem I was describing in my earlier email?
Just to avoid reading my former (quite long) email) let me summarize the problem again - We have an existing VPN between strongswan 5.2.2 and a Juniper SRX - The connection breaks due to an external event, SAs get cleared on both sides due to DPD - Both peers start sending IKE-INITS as there is traffic for the tunnel - Network is still down both peers start retransmitting the IKE-INIT - The Connection recovers - Firstly “Juniper as initiator” tunnel established. Tunnel is fine / traffic is fine - now “strongwan as initiator” tunnel established. Immediately strongswan deletes Child SA of its own initiated tunnel - for outgoing traffic the SPI from the first Child SA is used by strongswan - Juniper sends CREATE_CHILD_SA request to create a Child-Sa on the strongswan initiated IKE-SA, traffic drops. - strongswan rejects this Child-SA request again and again, traffic stays down till next SA rekeying. Is there any chance to force strongswan to either: 1.- close the half-open SA and stop retransmitting the IKE-INIT if there is already an active SA or a this particular connection 2.- close both CHIlD-SA and IKE-SA if it detects double Child-SA pairs Looking forward to any idea helping to solve this issue. Thanks and have a nice day Joern _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
