[strongSwan-dev] CHILD-SA lifetime after IKE-SA expiry (IKEv1)
Tobias Brunner
tobias at strongswan.org
Wed Jun 10 16:35:52 CEST 2015
> However, now it is not possible to peer strongswan with palo-alto devices.
> Do you have a suggested workaround?
If you can't get that device to change its behavior (e.g. by enabling
DPD, which would require a Phase 1 SA) you could do what SK suggested,
that is, ignore DELETE payloads (always, or only if CHILD_SAs are
attached). For instance, just return SUCCESS in [1].
Regards,
Tobias
[1]
http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/sa/ikev1/tasks/isakmp_delete.c;hb=HEAD#l77
More information about the Dev
mailing list