[strongSwan-dev] [PATCH 2/2] Move reauthenticated IKE_SA to state IKE_REKEYING on delete

Tobias Brunner tobias at strongswan.org
Wed Apr 27 12:14:50 CEST 2016

> This prevents the run of the updown scripts when the delete is executed.

I don't think this will work correctly.  The updown script will run for
the newly established CHILD_SAs, but then not for the deleted ones.  So
if the script does e.g. add firewall rules for every established SA
these won't all get removed if e.g. make-before-break reauthentication
is used.  You might better implement some kind of refcounting in your
script so that it works with overlapping, duplicate CHILD_SAs.


More information about the Dev mailing list