Page MenuHomeVyOS Platform

bugfix for IKEv2 some problems.
Closed, WontfixPublicBUG

Description

Hello

StrongSwan's charon (v4.5.2) has some problems.

1. Collision occurs at rekey, VPN keep disconnected.

when keylife is short , Collision occurs at rekey.

IKEv2 05[IKE] CHILD_SA rekey collision lost, deleting rekeyed child

I'd backport this issue.

bug report at StrongSwan
source code
bugfix in StrongSwan 5.4.0

2. Collision occurs at rekey, segmentation fault occurs with IPsec VTI

ipsec_starter[17127]: charon has died -- restart scheduled (5sec)

A null pointer is referenced and a segmentation fault occurs.
The above problems can be reproduced by bellow setting.

ipsec.conf
---

        keylife=10s
        rekeymargin=5s
        rekeyfuzz=0%

Test status

working fine at nifcloud VPN Gateway.

Best regards.

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.1.8
Why the issue appeared?
Will be filled on close

Event Timeline

hasunuma created this task.May 8 2018, 7:20 AM
hasunuma updated the task description. (Show Details)May 8 2018, 12:26 PM
pasik added a subscriber: pasik.May 15 2018, 9:55 PM
syncer triaged this task as Normal priority.May 27 2018, 9:52 AM
syncer added subscribers: dmbaturin, syncer.

@dmbaturin can i mark this as wontfix for 1.1.x?

IKEv2 is not good in Strong Swan 4.5 at all. There is incompatibility with some other clients.

It's better to force 1.2 release instead.

syncer closed this task as Wontfix.Oct 13 2018, 9:11 AM
syncer claimed this task.

please test on 1.2 and open new task if issue still exists

syncer edited projects, added Rejected; removed vyatta-strongswan, VyOS 1.1.x.Oct 15 2018, 6:30 AM