[strongSwan-dev] CHILD-SA lifetime after IKE-SA expiry (IKEv1)

[Tobias Brunner]

Hi Noam,

> We already have DPD set up.

Hm, but then why does the box terminate the Phase 1 SA?  How is DPD
supposed to work?

> I think there might be a bug that the adopt_children task is
> asynchronous, so if a new phase 1 is created, the old phase 1 can be
> deleted before the adoption occurs. I think this is happening to us
> quite frequently.

Do you have logs that show this?  While the adopt_children job does run
asynchronously, it (usually) does so pretty much right after the last
Phase 1 message is sent to the client, so until the SA is deleted the
client has to receive that message, process it and send back a DELETE
for the SA, which then in turn has to be processed by strongSwan (also
queued as job to the processor).  Seems very unlucky that it should
happen often that the DELETE is processed before the adopt_children job.
 Unless, of course, the client deletes the existing SA concurrently for
some reason (or if you use Aggressive Mode, where the last or three
Phase 1 messages is sent by the client, which then might also send the
DELETE right away).  Also, if you have uniqueids=yes set the
adopt_children job is usually not required as CHILD_SA are adopted earlier.

Regards,
Tobias