[strongSwan-dev] CHILD-SA lifetime after IKE-SA expiry (IKEv1)

Tobias Brunner tobias at strongswan.org
Wed Jun 10 16:35:52 CEST 2015


> However, now it is not possible to peer strongswan with palo-alto devices.
> Do you have a suggested workaround?

If you can't get that device to change its behavior (e.g. by enabling
DPD, which would require a Phase 1 SA) you could do what SK suggested,
that is, ignore DELETE payloads (always, or only if CHILD_SAs are
attached).  For instance, just return SUCCESS in [1].

Regards,
Tobias

[1]
http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/sa/ikev1/tasks/isakmp_delete.c;hb=HEAD#l77


More information about the Dev mailing list