[Swan] Libreswan to Fortigate | Failing with state transition 'Respond to CREATE_CHILD_SA IPsec SA Request' failed
Paul Wouters
paul at nohats.ca
Mon Jan 4 14:27:02 UTC 2021
On Mon, 4 Jan 2021, Blue Aquan wrote:
> The tunnel remains connected now, the logs has nothing in particular except this message. The last line however, still says information message from Fortigate,
> "message response has no corresponding IKE SA". But otherwise the VPN is working as expected with all services.
Great!
> Jan 4 17:32:17.120117: "SUBNETS" #42: initiate rekey of IKEv2 CREATE_CHILD_SA IKE Rekey
> Jan 4 17:32:17.131274: "SUBNETS" #43: sent CREATE_CHILD_SA request to rekey IKE SA
> Jan 4 17:32:17.303648: "SUBNETS" #43: rekeyed #42 STATE_V2_REKEY_IKE_I1 and expire it remaining life 937.812965s
> Jan 4 17:32:17.303764: "SUBNETS" #43: established IKE SA {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_512_256 prf=HMAC_SHA2_512 group=DH21}
> Jan 4 17:32:18.305011: "SUBNETS" #42: deleting state (STATE_V2_ESTABLISHED_IKE_SA) aged 2663.301907s and sending notification
> Jan 4 17:32:18.362454: packet from 6.7.8.9:4500: INFORMATIONAL message response has no corresponding IKE SA
That is a buglet on our end. When libreswan delete's the old IKE SA
(#42) it does not wait for the (empty) response message. We already
deletes #42 and the reply is encrypted to that #42 key. It is a
harmless message.
Paul
More information about the Swan
mailing list