[strongSwan] Reporting Issue:Old CHILD_SA not getting cleared
Tobias Brunner
tobias at strongswan.org
Wed Apr 11 16:58:46 CEST 2012
Hi Anurag,
> As per the below conf file I assume that reauth is set to "yes", even
> though I do not set it explicitly. Can you please confirm this?
Yes, reauth=yes is currently the default. And by using auto=route you
created the same problem as recently discussed on this mailing list with
Anand Rao (see [1]).
> As per our understanding this new CHILD_SA with identifier {1} should not be created at all.
As explained to Anand this additional CHILD_SA is caused by acquires
which are triggered by traffic matching the installed policies during
the downtime when the IKE_SA is reauthenticated and no IPsec SA is
installed in the kernel. Setting reauth=no avoids this downtime (and
consequently this CHILD_SA) because the IKE_SA is rekeyed without
deleting it first.
Regards,
Tobias
[1] https://lists.strongswan.org/pipermail/users/2012-April/007401.html
More information about the Users
mailing list