[strongSwan-dev] CHILD-SA lifetime after IKE-SA expiry (IKEv1)
tobias at strongswan.org
Wed Jun 10 16:35:52 CEST 2015
> However, now it is not possible to peer strongswan with palo-alto devices.
> Do you have a suggested workaround?
If you can't get that device to change its behavior (e.g. by enabling
DPD, which would require a Phase 1 SA) you could do what SK suggested,
that is, ignore DELETE payloads (always, or only if CHILD_SAs are
attached). For instance, just return SUCCESS in .
More information about the Dev