[strongSwan-dev] CHILD-SA lifetime after IKE-SA expiry (IKEv1)
lampert at google.com
Wed Jun 10 16:30:23 CEST 2015
I understand that it indeed simplifies implementation.
However, now it is not possible to peer strongswan with palo-alto devices.
Do you have a suggested workaround?
On Wed, Jun 10, 2015 at 5:26 PM, Tobias Brunner <tobias at strongswan.org>
> Hi Noam,
> > What is the correct behavior in IKEv1? Deleting the child-SAs when the
> > IKE SA gets deleted, or keeping them around until they expire?
> Having Phase 2 SAs without Phase 1 SAs is fine with IKEv1 (see ).
> However, charon is mainly an IKEv2 daemon, where this is not the case.
> To simplify the implementation charon follows the "the continuous
> channel model" also for IKEv1 (and does not support the other model).
> That is, its current data model has CHILD_SAs logically attached to
> IKE_SAs and if an IKE_SA is terminated so are its CHILD_SAs.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Dev