[Openswan dev] [Openswan Users] Rekey Problem between openswan and strongswan

Paul Wouters paul at xelerance.com
Wed Oct 27 17:02:19 EDT 2010 

On Wed, 27 Oct 2010, Yatong Cui wrote:

> 1>First sorry that i forgot to change the phase 1 settings on the strongswan side from a previous test,should be "ike=3des-sha1-modp1024(not aes)", however the result is the same,the rekey is still not successful.

I am not sure if the "rekey" is the issue. It seems like this is the initial child_sa?

> (SCENARION D)======STRONGSWAN----->>-----OPENSWAN=========
>                   (shorter)             (longer)
>
> After 'lifetime minus margintime(parameters on strongswan)',strongswan begins to send the 'CREATE_CHILD_SA' isakmp packets.
>
> But there seems to be no respond from openswan side.

The relevant part of the log being:

Oct 27 07:36:44 OPENSWAN pluto[4474]: | **parse ISAKMP Message:
Oct 27 07:36:44 OPENSWAN pluto[4474]: |    initiator cookie:
Oct 27 07:36:44 OPENSWAN pluto[4474]: |   ed 1f 17 d9  81 8f 37 92
Oct 27 07:36:44 OPENSWAN pluto[4474]: |    responder cookie:
Oct 27 07:36:44 OPENSWAN pluto[4474]: |   16 d1 0c 4a  ac 5e c6 65
Oct 27 07:36:44 OPENSWAN pluto[4474]: |    next payload type: ISAKMP_NEXT_v2E
Oct 27 07:36:44 OPENSWAN pluto[4474]: |    ISAKMP version: IKEv2 version 2.0 (rfc4306)
Oct 27 07:36:44 OPENSWAN pluto[4474]: |    exchange type: ISAKMP_v2_CHILD_SA
Oct 27 07:36:44 OPENSWAN pluto[4474]: |    flags: ISAKMP_FLAG_INIT
Oct 27 07:36:44 OPENSWAN pluto[4474]: |    message ID:  00 00 00 02
Oct 27 07:36:44 OPENSWAN pluto[4474]: |    length: 348
Oct 27 07:36:44 OPENSWAN pluto[4474]: |  processing version=2.0 packet with exchange type=ISAKMP_v2_CHILD_SA (36)
Oct 27 07:36:44 OPENSWAN pluto[4474]: | ICOOKIE:  ed 1f 17 d9  81 8f 37 92
Oct 27 07:36:44 OPENSWAN pluto[4474]: | RCOOKIE:  16 d1 0c 4a  ac 5e c6 65
Oct 27 07:36:44 OPENSWAN pluto[4474]: | state hash entry 23
Oct 27 07:36:44 OPENSWAN pluto[4474]: | v2 peer and cookies match on #1
Oct 27 07:36:44 OPENSWAN pluto[4474]: | v2 state object #1 found, in STATE_PARENT_R2
Oct 27 07:36:44 OPENSWAN pluto[4474]: packet from 2001:db8:1:2:20c:29ff:fe45:b04e:500: sending notification v2N_INVALID_MESSAGE_ID to 2001:db8:1:2:20c:29ff:fe45:b04e:500
Oct 27 07:36:44 OPENSWAN pluto[4474]: | don't send packet when notification data empty
Oct 27 07:36:44 OPENSWAN pluto[4474]: | * processed 0 messages from cryptographic helpers
Oct 27 07:36:44 OPENSWAN pluto[4474]: | next event EVENT_PENDING_DDNS in 31 seconds
Oct 27 07:36:44 OPENSWAN pluto[4474]: | next event EVENT_PENDING_DDNS in 31 seconds
Oct 27 07:36:50 OPENSWAN pluto[4474]: |

Can you check the RFC to see if the COOKIES of the parent_sa should be used for the child_sa?

Without having looked at the code, it seems we think these cookies belong to a parent_sa, and we
are not expecting a ISAKMP_v2_CHILD_SA packet with those cookies?

Paul

More information about the Dev mailing list