[strongSwan-dev] Understanding IKEv1 rekey
Noam Lampert
lampert at google.com
Mon Aug 22 11:55:09 CEST 2016
Strongswan does not send a DELETE.
Here is the pointer where Strongswan decides not to send a DELETE.
ke_sa->delete() for a IKE SA that is rekeyed silently deletes itself:
https://github.com/strongswan/strongswan/blob/master/src/libcharon/sa/ike_
sa.c#L1786 (note the 'break' and return DESTROY_ME).
On Mon, Aug 22, 2016 at 12:53 PM, Tobias Brunner <tobias at strongswan.org>
wrote:
> Hi Noam,
>
> > > My question: How is the Cisco ASR supposed to know that the old
> IKE SA
> > > is no longer relevant?
> > Because it is deleted?
> >
> > How is the peer supposed to know that it is deleted if it doesn't
> > receive a DELETE message?
>
> It doesn't send one? I suppose that's problematic (however, DELETES in
> IKEv1 are not really reliable anyway).
>
> Regards,
> Tobias
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20160822/de3077d6/attachment.html>
More information about the Dev
mailing list