Page 1 of 1

IKE SA rekeying triggered in parallel with Child SA rekeying

PostPosted: Thu Jul 28, 2011 8:41 pm
by pib30
When Child SA rekeying was initiated by one end (A), in parallel the other end (B) triggered an IKE SA rekeying.
What should be the nominal message exchange in this case (I didn't find it specified in the rfc) ?

This is what happens in my case (seen at 'A's side in /var/log/syslog + on the wireshark trace capturing the A<->B message exchanges):
'A' sent Create Child SA request to 'B' and immediately it received the Create Child SA request from 'B', 'A' complaining that "peer initiated rekeying, but a child is half-open", then 'A' generated the CREATE_CHILD_SA response 0 [ N(NO_PROP) ]. Next 'A" received CREATE_CHILD_SA response 6 [ N(NO_ADD_SAS) ] from 'B' and in syslog was additionally mentioned: "peer seems to not support CHILD_SA rekeying, starting reauthentication".
And after that 'A' sent Informational (delete IKE SA) to 'B':
sending DELETE for IKE_SA
added payload of type DELETE to message
generating INFORMATIONAL request 7 [ D ]
generating payload of type DELETE

When the response was received from 'B' and decrypted:
parsed INFORMATIONAL response 7 [ ]
IKE_SA deleted

Finally 'A' triggered IKE SA Init, IKE Auth and Create Child SA.

I find abnormal this scenario, but don't know which of the two ends behaves wrongly, so thanks for any help from your side.