<div dir="ltr">Hey all,<div><br></div><div>A gentle ping on this issue?</div><div>What is the correct behavior in IKEv1? Deleting the child-SAs when the IKE SA gets deleted, or keeping them around until they expire?</div><div><br></div><div>Noam</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Jun 7, 2015 at 10:58 AM, SM K <span dir="ltr"><<a href="mailto:sacho.polo@gmail.com" target="_blank">sacho.polo@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Jun 7, 2015 at 12:21 AM, Noam Lampert <span dir="ltr"><<a href="mailto:lampert@google.com" target="_blank">lampert@google.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">ends a delete</blockquote></div><br>I had a similar problem with cisco 891 firewalls, when it reauths the IKE SA. It deleted the expired IKE SA before creating a new one. But the delete of the IKE SA deletes the child SAs on strongswan (kinda silently). The firewall however continues to use the child SA. If the firewall had created the new IKE SA before deleting the old one, the child SAs would have been adopted by the new IKE SA and everything would be dandy. In my setup, I fixed it by adding a check that if an IKE SA being deleted has child SAs, the delete returns a success without deleting the IKE SA. When the new IKE SA is created, it adopts the previous IKE SAs children and replaces the old one.</div><span class="HOEnZb"><font color="#888888"><div class="gmail_extra"><br></div><div class="gmail_extra">-sk</div></font></span></div>
</blockquote></div><br></div>