[strongSwan-dev] problem with a cisco891 after reauthentication
SM K
sacho.polo at gmail.com
Thu Apr 16 03:03:15 CEST 2015
Thank you Tobias, Option 1 (ignore a phase1 delete) worked for me.
regards,
SK
On Wed, Apr 15, 2015 at 12:43 AM, Tobias Brunner <tobias at strongswan.org>
wrote:
> Hi,
>
> > Are IKEv1s are expected to break all connections before making a new one?
> > Or
> > Are they expected to make a new one before breaking the old one.
>
> The latter, but that's just how charon expects it. ISAKMP as such does
> not require a Ph1 SA between peers that have Ph2 SAs (see [1]).
>
> > 1. Ignore an Phase 1 delete if it still has phase2s. This is for IKEv1
> > only since we are testing with ikev1 firewalls only.
> > 2. Instead of silently deleting Phase2s, do a proper delete that sends
> > out a DELETE to the other side. Would this be difficult to implement?
>
> 2 will only work if the SAs are recreated again automatically (e.g. if
> you use auto=route). But it's definitely more difficult to implement.
> So I'd try 1 first.
>
> Regards,
> Tobias
>
> [1]
> https://tools.ietf.org/html/draft-jenkins-ipsec-rekeying-06#section-3.3
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20150415/5bec285b/attachment.html>
More information about the Dev
mailing list