#Edited
After the child sa exchange and and new terminal was created my topology:
10.0.0.8 – 192.168.86.38 === 192.168.86.39 – 10.0.0.1
60.60.0.3 – 192.168.86.38 === 192.168.86.39 – 192.168.82.5 (n3iwf gtp bind address) ------------ 127.0.0.8 (upf)
at this point, I want to ping from ue 60.60.0.3 to 192.168.82.5 but the ping is not going through.
I checked the xfrm state and policy and it had the same spi for both ways. 60.60.0.3 -> 192.168.82.5 and 192.168.82.5 --> 60.60.0.3 in free5gc, but in ue (I used strongswan) it had different spi for each ways. I think this is the many reason the ping is not working, but I am not sure.
I checked the source code and this is what I understand for now,
- when the pdu session establishment request message is sent from the ue, free5gc will receive the message and start a Create Child SA
- In the proposal of the new SA, it will allocate a new spi.
- UE side strongswan will receive the message and start the create child sa
- strongswan will use the spi that was sent as the spi for the free5gc and will allocate a new spi for itself and send it through the response SA
- strongswan will use the spi sent from free5gc for strongswan -> free5gc xfrm state spi and will use new strongswan’s spi for free5gc -> strongswan xfrm state spi.
- when the free5gc receives the IKE message, it will use the strongswan’s spi to generate the key and apply the xfrm state spi.
As a result spi and the key miss match comes out. If there is an error in my acknowledgement please guide me to the right way.
I tried changing the xfrm state and policy in the strongswan side to match with the free5gc and the other way around and both did not work. What can we do to solve the problem?