[strongSwan-dev] [PATCH] starter: cleanup SAs when deleting a connection

Christophe Gouault christophe.gouault at 6wind.com
Thu Oct 2 10:13:33 CEST 2014


2014-10-02 10:08 GMT+02:00 Martin Willi <martin at strongswan.org>:
> Hi Christophe,
>
> Thanks for your patch.
>
>> Do a little cleanup when deleting a connection via "ipsec update"
>> command:
>> - delete all established CHILD_SAs
>> - unroute the connection
>> - delete IKE_SAs that have no more CHILD_SAs
>> - delete the connection
>> - make sure to refuse an undesired negotiation request from the peer,
>>   by deleting the connection before terminating it.
>
> These chances certainly make sense in some scenarios. However, the
> behavioral change is non-trivial. That an "update" of connections
> deletes all associated SAs is not that obvious, especially as we did not
> do that before. I'd guess we'd break many scripted installations with
> that change.
>
> If we introduce such a behavioral change, I think we need to make that
> optional, and probably disable it by default.
>
> Regards
> Martin

Hi Martin,

You're right, this makes sense. I'll provide an update that makes it optional.

Best regards,
Christophe


More information about the Dev mailing list