<div>Hi SS team,</div>
<div> </div>
<div>I am sending INITIAL_CONTACT notify message to get a new IKE_SA replace an old IKE_SA which uses the same ID (leftid). I am using uniqueness policy of "replace" to achieve this but it does not always delete old IKE_SA that uses the same ID as new IKE_SA. </div>
<div> </div>
<div>The old IKE_SA got deleted when the new and old IKE_SA use the same leftid and rightid. The old IKE_SA did not get deleted when rightid is different. </div>
<div>Below I included ipsec statusall output from remote vpn host where IKE_SA did not get deleted. </div>
<div> </div>
<div>Is this a bug and any fixes? I appreciate any clarification. I am using strongswan 5.0.1</div>
<div> </div>
<div>Note: new IKE_SA suceeded and old IKE_SA is not deleted after new connection that matches conn2 appears with same leftid but with different rightid as old IKE_SA that match conn1.<br>connections:<br> conn1: 172.16.20.5...172.16.20.4 IKEv1<br>
conn1: local: [<a href="http://id2.com">id2.com</a>] uses pre-shared key authentication<br> conn1: remote: [<a href="http://id1.com">id1.com</a>] uses pre-shared key authentication<br> conn1: child: <a href="http://172.16.40.10/32">172.16.40.10/32</a> === <a href="http://172.16.50.10/32">172.16.50.10/32</a> TUNNEL<br>
conn2: 172.16.30.5...172.16.30.4 IKEv1<br> conn2: local: [<a href="http://id3.com">id3.com</a>] uses pre-shared key authentication<br> conn2: remote: [<a href="http://id1.com">id1.com</a>] uses pre-shared key authentication<br>
conn2: child: <a href="http://172.16.60.10/32">172.16.60.10/32</a> === <a href="http://172.16.70.10/32">172.16.70.10/32</a> TUNNEL<br>Routed Connections:<br> conn1{1}: ROUTED, TUNNEL<br> conn1{1}: <a href="http://172.16.40.10/32">172.16.40.10/32</a> === <a href="http://172.16.50.10/32">172.16.50.10/32</a><br>
conn2{2}: ROUTED, TUNNEL<br> conn2{2}: <a href="http://172.16.60.10/32">172.16.60.10/32</a> === <a href="http://172.16.70.10/32">172.16.70.10/32</a><br>Security Associations (2 up, 0 connecting):<br> conn2[2]: ESTABLISHED 12 seconds ago, 172.16.30.5[<a href="http://id3.com">id3.com</a>]...172.16.30.4[<strong><a href="http://id1.com">id1.com</a></strong>]<br>
conn2[2]: IKEv1 SPIs: d060015f5f9d4cb1_i 2c3838041993b109_r*, rekeying in 23 hours<br> conn2[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536<br> conn2{4}: INSTALLED, TUNNEL, ESP SPIs: cc189c07_i ca5aad79_o<br>
conn2{4}: AES_CBC_128/HMAC_SHA1_96, 252 bytes_i (9s ago), 252 bytes_o (9s ago), rekeying in 53 minutes<br> conn2{4}: <a href="http://172.16.60.10/32">172.16.60.10/32</a> === <a href="http://172.16.70.10/32">172.16.70.10/32</a><br>
conn1[1]: ESTABLISHED 21 seconds ago, 172.16.20.5[<a href="http://id2.com">id2.com</a>]...172.16.20.4[<strong><a href="http://id1.com">id1.com</a></strong>]<br> conn1[1]: IKEv1 SPIs: 73801375ea2795e6_i f3a4709574c6d890_r*, rekeying in 23 hours<br>
conn1[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536<br> conn1{3}: INSTALLED, TUNNEL, ESP SPIs: cb6b690d_i cfcad16e_o<br> conn1{3}: 3DES_CBC/HMAC_SHA1_96, 252 bytes_i (18s ago), 252 bytes_o (18s ago), rekeying in 47 minutes<br>
conn1{3}: <a href="http://172.16.40.10/32">172.16.40.10/32</a> === <a href="http://172.16.50.10/32">172.16.50.10/32</a><br></div>