[strongSwan-dev] CHILD-SA lifetime after IKE-SA expiry (IKEv1)

Noam Lampert lampert at google.com
Sun Jun 7 09:21:31 CEST 2015


We are having trouble building a steady connection with a Palo Alto device.
The Palo Alto supports only IKEv1.
When the IKE-SA expires on the Palo-Alto device, it sends a delete-SA. This
causes strongswan to delete the child-SAs negotiated with that IKE SA, but
the Palo Alto continues to use those CHILD-SAs to send traffic until they
expire as well (which can be quite some time).

What do you think? Is this a bug in strongswan or in Palo Alto? Can you
point me to the relevant RFC excerpts?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20150607/87c46c65/attachment.html>

More information about the Dev mailing list