[strongSwan] Reporting Issue:Old CHILD_SA not getting cleared

Tobias Brunner tobias at strongswan.org
Fri Apr 13 09:12:21 CEST 2012

Hi Anurag,

> We have added reauth=no to the ipsec.conf and retested our scenario
> once. We could observe from the tcpdump on the node triggering the
> traffic that even now an INFORMATIONAL message (with Next Payload:
> Delete) is sent just before IKE_SA re-keying [behaviour is same as
> was with reauth=yes ].

Without the logs it's hard to tell exactly, but the delete could be from
rekeying the CHILD_SA.  You've configured

> conn RULE1~VPN1
> rekeymargin=100
> rekeyfuzz=100%
> ...
> ikelifetime=600s
> keylife=300s
> ...

that is, the CHILD_SA will be rekeyed the second time about when the
IKE_SA is rekeyed for the first time (the exact times for both is
determined randomly, see [1]).


[1] http://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey

More information about the Users mailing list