[strongSwan-dev] CHILD-SA lifetime after IKE-SA expiry (IKEv1)
Noam Lampert
lampert at google.com
Wed Jun 10 17:17:06 CEST 2015
Hi Tobias,
Thanks. These are good tips.
We already have DPD set up.
I think there might be a bug that the adopt_children task is asynchronous,
so if a new phase 1 is created, the old phase 1 can be deleted before the
adoption occurs. I think this is happening to us quite frequently.
Noam
On Wed, Jun 10, 2015 at 5:35 PM, Tobias Brunner <tobias at strongswan.org>
wrote:
> > However, now it is not possible to peer strongswan with palo-alto
> devices.
> > Do you have a suggested workaround?
>
> If you can't get that device to change its behavior (e.g. by enabling
> DPD, which would require a Phase 1 SA) you could do what SK suggested,
> that is, ignore DELETE payloads (always, or only if CHILD_SAs are
> attached). For instance, just return SUCCESS in [1].
>
> Regards,
> Tobias
>
> [1]
>
> http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/sa/ikev1/tasks/isakmp_delete.c;hb=HEAD#l77
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20150610/05db6659/attachment.html>
More information about the Dev
mailing list