[strongSwan-dev] problem with a cisco891 after reauthentication
sacho.polo at gmail.com
Thu Apr 16 03:03:15 CEST 2015
Thank you Tobias, Option 1 (ignore a phase1 delete) worked for me.
On Wed, Apr 15, 2015 at 12:43 AM, Tobias Brunner <tobias at strongswan.org>
> > Are IKEv1s are expected to break all connections before making a new one?
> > Or
> > Are they expected to make a new one before breaking the old one.
> The latter, but that's just how charon expects it. ISAKMP as such does
> not require a Ph1 SA between peers that have Ph2 SAs (see ).
> > 1. Ignore an Phase 1 delete if it still has phase2s. This is for IKEv1
> > only since we are testing with ikev1 firewalls only.
> > 2. Instead of silently deleting Phase2s, do a proper delete that sends
> > out a DELETE to the other side. Would this be difficult to implement?
> 2 will only work if the SAs are recreated again automatically (e.g. if
> you use auto=route). But it's definitely more difficult to implement.
> So I'd try 1 first.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Dev