[strongSwan] strongswan IKEv2 ikesa rekey

Martin Willi martin at strongswan.org
Fri Jun 24 10:48:12 CEST 2011


> There are currently two open child_sa's for the IKE_SA as after the
> last child_sa rekey, the test system did not promptly remove the old
> child_sa. 
> is that what the message is referring to on the IKE_SA rekey request
> or is it something else? 

Yes, the CHILD_SA rekeying is not considered complete, as the old
CHILD_SA has not been deleted. And rekeying an IKE_SA that has CHILD_SAs
currently rekeying should be rejected (RFC 5996 2.25.1).

I don't see a good reason why your other implementation should insert a
IKE_SA rekeying in the middle of a CHILD_SA rekeying. That makes the
situation just complicated.


More information about the Users mailing list