<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from rtf -->
<style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>
</head>
<body>
<font face="Calibri" size="2"><span style="font-size:11pt;">
<div>Hi,</div>
<div> </div>
<div>We are using strongswan version 4.5.3 and have the following queries</div>
<div> </div>
<div>Section 1.3 of RFC 5996 :</div>
<div> The responder sends a NO_ADDITIONAL_SAS notification to indicate that</div>
<div> a CREATE_CHILD_SA request is unacceptable because the responder is</div>
<div> unwilling to accept any more Child SAs on this IKE SA. This</div>
<div> notification can also be used to reject IKE SA rekey. Some minimal</div>
<div> implementations may only accept a single Child SA setup in the</div>
<div> context of an initial IKE exchange and reject any subsequent attempts</div>
<div> to add more.</div>
<div> </div>
<div>And <font face="Tahoma" size="2"><span style="font-size:10pt;">Section 1.3.1 (creating new child SA using create_child_SA)</span></font></div>
<div><font face="Tahoma" size="2" color="red"><span style="font-size:10pt;"><b> failed attempt to create a Child SA SHOULD NOT tear down the IKE<br>
</b><b> SA:</b><font color="black"> </font>there is no reason to lose the work done to set up the IKE SA.<br>
See Section 2.21 for a list of error messages that might occur if<br>
creating a Child SA fails.</span></font></div>
<div> </div>
<div> </div>
<div>My understanding on this paragraph leads to following scenarios where peer sends the NO_ADDITIONAL_SAS notification</div>
<div>Scenario-1--> No child SA allowed using CREATE_CHILD_SA (apart from the one created during the AUTH exchange)</div>
<div>How does strongswan behave in this case ? will it delete the IKE and try to recreate the IKE & child again?</div>
<div> </div>
<div>Scenario-2--> Alreday <N> child SA are created and peer doesn't support N+1th child SA under the given IKE (is it possible to enforce such restriction?)</div>
<div>How does strongswan behave in this case ? will it delete the IKE and all the child SA under that IKE and try to recreate the IKE & child SAs again?</div>
<div> </div>
<div>Scenario-3--> Reject IKE rekeying request using CREATE_CHILD_SA from the peer</div>
<div>How does strongswan behave in this case ? will it delete the IKE and all the child SA under that IKE and try to recreate the IKE & child SAs again?</div>
<div> </div>
<div>Scenario-4 <font face="Wingdings">à</font> In case of 1-IKE and multiple child-SA configuration, if the peer rejects the rekey request for any of child(ESP) SA with “NO_ADDITIONAL_SAS”</div>
<div>How does strongswan behave in this case ?</div>
<div> </div>
<div>BR,</div>
<div>Shashidhar</div>
<div> </div>
</span></font>
</body>
</html>