[strongSwan-dev] [PATCH 2/2] Move reauthenticated IKE_SA to state IKE_REKEYING on delete
Tobias Brunner
tobias at strongswan.org
Wed Apr 27 12:14:50 CEST 2016
> This prevents the run of the updown scripts when the delete is executed.
I don't think this will work correctly. The updown script will run for
the newly established CHILD_SAs, but then not for the deleted ones. So
if the script does e.g. add firewall rules for every established SA
these won't all get removed if e.g. make-before-break reauthentication
is used. You might better implement some kind of refcounting in your
script so that it works with overlapping, duplicate CHILD_SAs.
Regards,
Tobias
More information about the Dev
mailing list