[strongSwan-dev] Understanding IKEv1 rekey

Noam Lampert lampert at google.com
Mon Aug 22 13:01:17 CEST 2016

Thanks, I am optimistic about this working.

On Mon, Aug 22, 2016 at 1:43 PM, Tobias Brunner <tobias at strongswan.org>

> Hi Noam,
> > Strongswan does not send a DELETE.
> Yeah, according to the message of the commit that added that break
> statement (3a0b67bce5) the idea was to just wait for the SA to expire
> (it doesn't really explain why the break was added and the peer is not
> notified about the deletion).  The duplicate check that was added later
> kills the SA after 10 seconds now.  Perhaps the break was added to avoid
> the alert if the SA expired, or the ike_updown() event (which has since
> been added) - with strongSwan a notification wasn't required anyway as
> it automatically deletes the old IKE_SA as responder of a rekeying.
> But I think notifying the peer that the SA was deleted makes definitely
> sense.  If deleting it after 10 seconds is a problem (e.g. because the
> DELETE is regularly dropped) we could probably also change that so SAs
> are not killed until they actually expire (as responder or initiator of
> the rekeying).  But since strongSwan does not negotiate SA lifetimes and
> always uses its own configuration that deletion will not be synced with
> the peer, which could cause problems later if a peer did not receive the
> delete and has a longer lifetime and still uses the SA.
> I pushed a change that removes the break statement to the
> ikev1-rekey-deletion branch.
> Regards,
> Tobias
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20160822/554614c7/attachment.html>

More information about the Dev mailing list