[strongSwan-dev] CHILD-SA lifetime after IKE-SA expiry (IKEv1)

SM K sacho.polo at gmail.com
Sun Jun 7 09:58:54 CEST 2015


On Sun, Jun 7, 2015 at 12:21 AM, Noam Lampert <lampert at google.com> wrote:

> ends a delete


I had a similar problem with cisco 891 firewalls, when it reauths the IKE
SA. It deleted the expired IKE SA before creating a new one. But the delete
of the IKE SA deletes the child SAs on strongswan (kinda silently). The
firewall however continues to use the child SA. If the firewall had created
the new IKE SA before deleting the old one, the child SAs would have been
adopted by the new IKE SA and everything would be dandy. In my setup, I
fixed it by adding a check that if an IKE SA being deleted has child SAs,
the delete returns a success without deleting the IKE SA. When the new IKE
SA is created, it adopts the previous IKE SAs children and replaces the old
one.

-sk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20150607/9f7d4438/attachment.html>


More information about the Dev mailing list