[strongSwan-dev] CHILD-SA lifetime after IKE-SA expiry (IKEv1)

Noam Lampert lampert at google.com
Wed Jun 10 15:40:24 CEST 2015

Hey all,

A gentle ping on this issue?
What is the correct behavior in IKEv1? Deleting the child-SAs when the IKE
SA gets deleted, or keeping them around until they expire?


On Sun, Jun 7, 2015 at 10:58 AM, SM K <sacho.polo at gmail.com> wrote:

> On Sun, Jun 7, 2015 at 12:21 AM, Noam Lampert <lampert at google.com> wrote:
>> ends a delete
> I had a similar problem with cisco 891 firewalls, when it reauths the IKE
> SA. It deleted the expired IKE SA before creating a new one. But the delete
> of the IKE SA deletes the child SAs on strongswan (kinda silently). The
> firewall however continues to use the child SA. If the firewall had created
> the new IKE SA before deleting the old one, the child SAs would have been
> adopted by the new IKE SA and everything would be dandy. In my setup, I
> fixed it by adding a check that if an IKE SA being deleted has child SAs,
> the delete returns a success without deleting the IKE SA. When the new IKE
> SA is created, it adopts the previous IKE SAs children and replaces the old
> one.
> -sk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20150610/0cc0b6cf/attachment.html>

More information about the Dev mailing list