[strongSwan-dev] [strongSwan] problem with a cisco891 after reauthentication

Andreas Steffen andreas.steffen at strongswan.org
Tue Apr 14 13:14:13 CEST 2015


Hi SK,

just upgrade to the latest strongSwan 5.3.0 stable release which
introduces make-before-break reauthentication for the charon daemon.

Best regards

Andreas

On 13.04.2015 23:48, SM K wrote:
> Hi All,
>
> I am seeing a problem with a cisco891 connected to strongswan 5.1.3
> using IKEv1. It seems like a cisco problem, but i did not see this
> problem with strongswan 4.x matbe because the older strongswan handled
> it a different way.
>
> I notice the problem when the cisco attempts reauthentication of phase1.
> It seems that the existing phase1 is first down-ed before the new one is
> created. In most other firewalls, i see that a new phase1 is created
> before the old one is killed.
>
> The problem with how the cisco891 does this is that when phase1 that is
> being reauthenticated is deleted, the phase2s are also killed on
> strongswan. But these phase2 still exist on the cisco and it is actively
> sending data on this. When the new phase1 is created, strongswan
> ofcourse does have any phase2s to adopt. So we have the cisco
> out-of-sync with strongswan. Is there anyway to workaround this in
> strongswan?
>
> I also noticed that when the child SAs are killed when a phase1 goes
> down, it does not send a delete message to the other side. Shouldn't the
> full delete process for the child SA be followed so that the other side
> also deletes its phases2s?
>
> thanx in advance,
> SK
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20150414/776c5b34/attachment.bin>


More information about the Dev mailing list