[strongSwan-dev] Question about old child-SAs
Noam Lampert
lampert at google.com
Tue Nov 18 16:31:04 CET 2014
Dear strongswan devs,
I am trying to fathom the process in which a VPN connection quickly
re-establishes after a reboot of one of the gateways in a tunnel.
If our gateway reboots, and a new IKE SA is established, is it possible
that we will still receive packets from the peer using a child-SA that was
established prior to the reboot?
If so, what is the process in which the peer understands that this child SA
is no longer valid?
Can you point me specifically to code?
For instance, it looks like our gateway won't be sending del-sa for the
child SA (when I look at ikev2/tasks/child_delete.c, it seems that this
will silently fail because the child-sa for the 'old' SPI won't be found).
Does strongswan send an information unencrypted response according to
section 1.5 of RFC 4306? If so, I gather it would need to receive first an
IKE packet on the old IKE SA (which may take more time).
I also saw some references to INITIAL_CONTACT, but they seem to be centered
only around IKEv1.
Thanks,
Noam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20141118/f28e9216/attachment.html>
More information about the Dev
mailing list