[strongSwan-dev] [strongSwan] problem with a cisco891 after reauthentication
andreas.steffen at strongswan.org
Tue Apr 14 13:14:13 CEST 2015
just upgrade to the latest strongSwan 5.3.0 stable release which
introduces make-before-break reauthentication for the charon daemon.
On 13.04.2015 23:48, SM K wrote:
> Hi All,
> I am seeing a problem with a cisco891 connected to strongswan 5.1.3
> using IKEv1. It seems like a cisco problem, but i did not see this
> problem with strongswan 4.x matbe because the older strongswan handled
> it a different way.
> I notice the problem when the cisco attempts reauthentication of phase1.
> It seems that the existing phase1 is first down-ed before the new one is
> created. In most other firewalls, i see that a new phase1 is created
> before the old one is killed.
> The problem with how the cisco891 does this is that when phase1 that is
> being reauthenticated is deleted, the phase2s are also killed on
> strongswan. But these phase2 still exist on the cisco and it is actively
> sending data on this. When the new phase1 is created, strongswan
> ofcourse does have any phase2s to adopt. So we have the cisco
> out-of-sync with strongswan. Is there anyway to workaround this in
> I also noticed that when the child SAs are killed when a phase1 goes
> down, it does not send a delete message to the other side. Shouldn't the
> full delete process for the child SA be followed so that the other side
> also deletes its phases2s?
> thanx in advance,
> Users mailing list
> Users at lists.strongswan.org
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
More information about the Dev