[Swan] Libreswan to Fortigate | Failing with state transition 'Respond to CREATE_CHILD_SA IPsec SA Request' failed

Paul Wouters paul at nohats.ca
Mon Jan 4 14:27:02 UTC 2021

On Mon, 4 Jan 2021, Blue Aquan wrote:

> The tunnel remains connected now, the logs has nothing in particular except this message. The last line however, still says information message from Fortigate,
> "message response has no corresponding IKE SA". But otherwise the VPN is working as expected with all services.


> Jan  4 17:32:17.120117: "SUBNETS" #42: initiate rekey of IKEv2 CREATE_CHILD_SA IKE Rekey
> Jan  4 17:32:17.131274: "SUBNETS" #43: sent CREATE_CHILD_SA request to rekey IKE SA
> Jan  4 17:32:17.303648: "SUBNETS" #43: rekeyed #42 STATE_V2_REKEY_IKE_I1 and expire it remaining life 937.812965s
> Jan  4 17:32:17.303764: "SUBNETS" #43: established IKE SA {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_512_256 prf=HMAC_SHA2_512 group=DH21}
> Jan  4 17:32:18.305011: "SUBNETS" #42: deleting state (STATE_V2_ESTABLISHED_IKE_SA) aged 2663.301907s and sending notification
> Jan  4 17:32:18.362454: packet from INFORMATIONAL message response has no corresponding IKE SA

That is a buglet on our end. When libreswan delete's the old IKE SA
(#42) it does not wait for the (empty) response message. We already
deletes #42 and the reply is encrypted to that #42 key. It is a
harmless message.


More information about the Swan mailing list