[strongSwan] Reporting Issue:Old CHILD_SA not getting cleared
Tobias Brunner
tobias at strongswan.org
Fri Apr 13 09:12:21 CEST 2012
Hi Anurag,
> We have added reauth=no to the ipsec.conf and retested our scenario
> once. We could observe from the tcpdump on the node triggering the
> traffic that even now an INFORMATIONAL message (with Next Payload:
> Delete) is sent just before IKE_SA re-keying [behaviour is same as
> was with reauth=yes ].
Without the logs it's hard to tell exactly, but the delete could be from
rekeying the CHILD_SA. You've configured
> conn RULE1~VPN1
> rekeymargin=100
> rekeyfuzz=100%
> ...
> ikelifetime=600s
> keylife=300s
> ...
that is, the CHILD_SA will be rekeyed the second time about when the
IKE_SA is rekeyed for the first time (the exact times for both is
determined randomly, see [1]).
Regards,
Tobias
[1] http://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey
More information about the Users
mailing list