[strongSwan] Reporting Issue:Old CHILD_SA not getting cleared

Ghosh, Anurag (EXT-Aricent - IN) anurag.ghosh.ext at nsn.com
Wed Apr 11 17:30:41 CEST 2012

Hi Tobias,
Thanks a lot for the information. 
We will test the scenario as per your inputs and let you know the results.
Thanks and Regards,
Anurag Ghosh


From: ext Tobias Brunner [mailto:tobias at strongswan.org]
Sent: Wed 4/11/2012 8:28 PM
To: Ghosh, Anurag (EXT-Aricent - IN)
Cc: users at lists.strongswan.org; jyoti.singh at aricent.com; Agarwal, Nupur (EXT-Aricent - US); Dharwadkar, Sriram (NSN - IN/Bangalore)
Subject: Re: Reporting Issue:Old CHILD_SA not getting cleared

Hi Anurag,

> As per the below conf file I assume that reauth is set to "yes", even
> though I do not set it explicitly. Can you please confirm this?

Yes, reauth=yes is currently the default.  And by using auto=route you
created the same problem as recently discussed on this mailing list with
Anand Rao (see [1]).

> As per our understanding this new CHILD_SA with identifier {1} should not be created at all.

As explained to Anand this additional CHILD_SA is caused by acquires
which are triggered by traffic matching the installed policies during
the downtime when the IKE_SA is reauthenticated and no IPsec SA is
installed in the kernel.  Setting reauth=no avoids this downtime (and
consequently this CHILD_SA) because the IKE_SA is rekeyed without
deleting it first.


[1] https://lists.strongswan.org/pipermail/users/2012-April/007401.html

More information about the Users mailing list