[strongSwan-dev] CHILD-SA lifetime after IKE-SA expiry (IKEv1)

Tobias Brunner tobias at strongswan.org
Wed Jun 10 16:26:26 CEST 2015

Hi Noam,

> What is the correct behavior in IKEv1? Deleting the child-SAs when the
> IKE SA gets deleted, or keeping them around until they expire?

Having Phase 2 SAs without Phase 1 SAs is fine with IKEv1 (see [1]).
However, charon is mainly an IKEv2 daemon, where this is not the case.
To simplify the implementation charon follows the "the continuous
channel model" also for IKEv1 (and does not support the other model).
That is, its current data model has CHILD_SAs logically attached to
IKE_SAs and if an IKE_SA is terminated so are its CHILD_SAs.


[1] https://tools.ietf.org/html/draft-jenkins-ipsec-rekeying-06#section-3.3

More information about the Dev mailing list