[strongSwan] Reporting Issue:Old CHILD_SA not getting cleared
tobias at strongswan.org
Fri Apr 13 09:12:21 CEST 2012
> We have added reauth=no to the ipsec.conf and retested our scenario
> once. We could observe from the tcpdump on the node triggering the
> traffic that even now an INFORMATIONAL message (with Next Payload:
> Delete) is sent just before IKE_SA re-keying [behaviour is same as
> was with reauth=yes ].
Without the logs it's hard to tell exactly, but the delete could be from
rekeying the CHILD_SA. You've configured
> conn RULE1~VPN1
that is, the CHILD_SA will be rekeyed the second time about when the
IKE_SA is rekeyed for the first time (the exact times for both is
determined randomly, see ).
More information about the Users