[strongSwan-dev] CHILD-SA lifetime after IKE-SA expiry (IKEv1)

Tobias Brunner tobias at strongswan.org
Wed Jun 10 16:35:52 CEST 2015

> However, now it is not possible to peer strongswan with palo-alto devices.
> Do you have a suggested workaround?

If you can't get that device to change its behavior (e.g. by enabling
DPD, which would require a Phase 1 SA) you could do what SK suggested,
that is, ignore DELETE payloads (always, or only if CHILD_SAs are
attached).  For instance, just return SUCCESS in [1].



More information about the Dev mailing list