[strongSwan-dev] CHILD-SA lifetime after IKE-SA expiry (IKEv1)

Noam Lampert lampert at google.com
Wed Jun 10 16:30:23 CEST 2015


I understand that it indeed simplifies implementation.

However, now it is not possible to peer strongswan with palo-alto devices.
Do you have a suggested workaround?

Noam

On Wed, Jun 10, 2015 at 5:26 PM, Tobias Brunner <tobias at strongswan.org>
wrote:

> Hi Noam,
>
> > What is the correct behavior in IKEv1? Deleting the child-SAs when the
> > IKE SA gets deleted, or keeping them around until they expire?
>
> Having Phase 2 SAs without Phase 1 SAs is fine with IKEv1 (see [1]).
> However, charon is mainly an IKEv2 daemon, where this is not the case.
> To simplify the implementation charon follows the "the continuous
> channel model" also for IKEv1 (and does not support the other model).
> That is, its current data model has CHILD_SAs logically attached to
> IKE_SAs and if an IKE_SA is terminated so are its CHILD_SAs.
>
> Regards,
> Tobias
>
> [1]
> https://tools.ietf.org/html/draft-jenkins-ipsec-rekeying-06#section-3.3
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20150610/f2e43b1e/attachment.html>


More information about the Dev mailing list