[strongSwan-dev] problem with a cisco891 after reauthentication

[SM K]

Hi All,

I am seeing a problem with a cisco891 connected to strongswan 5.1.3 using
IKEv1. It seems like a cisco problem, but i did not see this problem with
strongswan 4.x matbe because the older strongswan handled it a different
way.

I notice the problem when the cisco attempts reauthentication of phase1. It
seems that the existing phase1 is first down-ed before the new one is
created. In most other firewalls, i see that a new phase1 is created before
the old one is killed.

The problem with how the cisco891 does this is that when phase1 that is
being reauthenticated is deleted, the phase2s are also killed on
strongswan. But these phase2 still exist on the cisco and it is actively
sending data on this. When the new phase1 is created, strongswan ofcourse
does have any phase2s to adopt. So we have the cisco out-of-sync with
strongswan. Is there anyway to workaround this in strongswan?

I also noticed that when the child SAs are killed when a phase1 goes down,
it does not send a delete message to the other side. Shouldn't the full
delete process for the child SA be followed so that the other side also
deletes its phases2s?

thanx in advance,
SK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20150413/77297d63/attachment.html>