Hi Sir,<div><br></div><div>We are using Strongswan-4.5.3 in our application . Here we are facing some issue during the CHILD_SA Re-Key.</div><div>The messages are given below.</div><div><br></div><div><p class="MsoNormal">
Initiator Responder</p><p class="MsoNormal"><br></p><p class="MsoNormal"></p><p class="MsoNormal"> --------------- CREATE_CHILD_SA (CHILD_SA Re-Key)-------------></p>
<p class="MsoNormal"><br></p>
<p class="MsoNormal"> ----------------CREATE_CHILD_SA (NO_ADDITIONAL_SAS)--------></p><p class="MsoNormal"><br></p>
<p class="MsoNormal"> ----------------- INFORMATIONAL (DELETE for
IKE) ----------------------></p><p class="MsoNormal"><br></p><p class="MsoNormal">As per the RFC 5996, it say's as below for "NO_ADDITIONAL_SAS" Notification ,</p><p class="MsoNormal"><br></p><p class="MsoNormal">
</p><p class="MsoNormal"><b>If the responder rejects the CREATE_CHILD_SA</b></p><p class="MsoNormal"><b>request with a NO_ADDITIONAL_SAS notification, the implementation</b></p><p class="MsoNormal"><b>MUST be capable of instead deleting the old SA and creating a new</b></p>
<p class="MsoNormal"><b>one.</b></p><p></p><p class="MsoNormal"><br></p><p class="MsoNormal"><br></p><p class="MsoNormal">Here it say's that the CHILD_SA deletion & creation . However , in Strongswan, it's doing the RE-AUTH of IKE_SA. </p>
<p class="MsoNormal">Is this the expected behavior or the RFC 5996 is case not implemented ?</p><p class="MsoNormal"><br></p><p class="MsoNormal"> Thanks & Regards,</p><p class="MsoNormal">Murali V</p><p></p></div>