Hi, I am looking for a clarification wrt "rekeying SA" in strongswan implementation. During a rekeying negotiation to a remote peer, if local node receives "NO_PROPOSAL_CHOSEN" in notify payload as a response to CREATE_CHILD_SA request, should n't the current IKE SA be destroyed and created once again ? but I observe that, CREATE_CHILD_SA is again requested.
From charon.log: (X is local system and Y is remote system) 01[ENC] generating CREATE_CHILD_SA request 2 [ N(REKEY_SA) N(USE_TRANSP) SA No TSi TSr ] 01[NET] sending packet: from X:X:X:1::1[500] to Y:Y:Y:1::1[500] 10[NET] received packet: from Y:Y:Y:1::1[500] to X:X:X:1::1[500] 10[ENC] parsed CREATE_CHILD_SA response 2 [ N(NO_PROP) ] 10[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built 10[IKE] failed to establish CHILD_SA, keeping IKE_SA 10[IKE] CHILD_SA rekeying failed, trying again in 24 seconds 05[KNL] creating rekey job for ESP CHILD_SA with SPI 8a8cefdc and reqid {1} 12[IKE] establishing CHILD_SA ikev2_test{1} 12[ENC] generating CREATE_CHILD_SA request 3 [ N(REKEY_SA) N(USE_TRANSP) SA No TSi TSr ] 12[NET] sending packet: from X:X:X:1::1[500] to Y:Y:Y:1::1[500] From ipsec.conf, timing settings: ikelifetime="120s" rekeymargin=5s keylife="60s" As per RFC 4306 (http://www.ietf.org/rfc/rfc4306.txt) Section 2.8, "An implementation MAY refuse all CREATE_CHILD_SA requests within an IKE_SA. If an SA has expired or is about to expire and rekeying attempts using the mechanisms described here fail, an implementation MUST close the IKE_SA and any associated CHILD_SAs and then MAY start new ones." Hence, is sending notify payload (no proposal chosen) not treated as failure for rekey attempt ? It can not be considered as packet loss as initiator received the response anyway. I am a newbie and please correct my understanding if you have better answer. Thanks, Gowri Shankar _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users