[strongSwan] Reporting Issue:Old CHILD_SA not getting cleared

Tobias Brunner tobias at strongswan.org
Wed Apr 11 16:58:46 CEST 2012

Hi Anurag,

> As per the below conf file I assume that reauth is set to "yes", even
> though I do not set it explicitly. Can you please confirm this?

Yes, reauth=yes is currently the default.  And by using auto=route you
created the same problem as recently discussed on this mailing list with
Anand Rao (see [1]).

> As per our understanding this new CHILD_SA with identifier {1} should not be created at all.

As explained to Anand this additional CHILD_SA is caused by acquires
which are triggered by traffic matching the installed policies during
the downtime when the IKE_SA is reauthenticated and no IPsec SA is
installed in the kernel.  Setting reauth=no avoids this downtime (and
consequently this CHILD_SA) because the IKE_SA is rekeyed without
deleting it first.


[1] https://lists.strongswan.org/pipermail/users/2012-April/007401.html

More information about the Users mailing list