[strongSwan-dev] CHILD-SA lifetime after IKE-SA expiry (IKEv1)
lampert at google.com
Sun Jun 7 09:21:31 CEST 2015
We are having trouble building a steady connection with a Palo Alto device.
The Palo Alto supports only IKEv1.
When the IKE-SA expires on the Palo-Alto device, it sends a delete-SA. This
causes strongswan to delete the child-SAs negotiated with that IKE SA, but
the Palo Alto continues to use those CHILD-SAs to send traffic until they
expire as well (which can be quite some time).
What do you think? Is this a bug in strongswan or in Palo Alto? Can you
point me to the relevant RFC excerpts?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Dev