[strongSwan] Reporting Issue:Old CHILD_SA not getting cleared
Ghosh, Anurag (EXT-Aricent - IN)
anurag.ghosh.ext at nsn.com
Wed Apr 11 17:30:41 CEST 2012
Hi Tobias,
Thanks a lot for the information.
We will test the scenario as per your inputs and let you know the results.
Thanks and Regards,
Anurag Ghosh
________________________________
From: ext Tobias Brunner [mailto:tobias at strongswan.org]
Sent: Wed 4/11/2012 8:28 PM
To: Ghosh, Anurag (EXT-Aricent - IN)
Cc: users at lists.strongswan.org; jyoti.singh at aricent.com; Agarwal, Nupur (EXT-Aricent - US); Dharwadkar, Sriram (NSN - IN/Bangalore)
Subject: Re: Reporting Issue:Old CHILD_SA not getting cleared
Hi Anurag,
> As per the below conf file I assume that reauth is set to "yes", even
> though I do not set it explicitly. Can you please confirm this?
Yes, reauth=yes is currently the default. And by using auto=route you
created the same problem as recently discussed on this mailing list with
Anand Rao (see [1]).
> As per our understanding this new CHILD_SA with identifier {1} should not be created at all.
As explained to Anand this additional CHILD_SA is caused by acquires
which are triggered by traffic matching the installed policies during
the downtime when the IKE_SA is reauthenticated and no IPsec SA is
installed in the kernel. Setting reauth=no avoids this downtime (and
consequently this CHILD_SA) because the IKE_SA is rekeyed without
deleting it first.
Regards,
Tobias
[1] https://lists.strongswan.org/pipermail/users/2012-April/007401.html
More information about the Users
mailing list