[strongSwan] strongswan IKEv2 ikesa rekey
Martin Willi
martin at strongswan.org
Fri Jun 24 10:48:12 CEST 2011
Hi,
> There are currently two open child_sa's for the IKE_SA as after the
> last child_sa rekey, the test system did not promptly remove the old
> child_sa.
> is that what the message is referring to on the IKE_SA rekey request
> or is it something else?
Yes, the CHILD_SA rekeying is not considered complete, as the old
CHILD_SA has not been deleted. And rekeying an IKE_SA that has CHILD_SAs
currently rekeying should be rejected (RFC 5996 2.25.1).
I don't see a good reason why your other implementation should insert a
IKE_SA rekeying in the middle of a CHILD_SA rekeying. That makes the
situation just complicated.
Regards
Martin
More information about the Users
mailing list