[strongSwan] Behavior on receiving NO_ADDITIONAL_SAS
Martin Willi
martin at strongswan.org
Thu Feb 28 12:59:46 CET 2013
Hi,
> Scenario-1--> No child SA allowed using CREATE_CHILD_SA (apart from the
> one created during the AUTH exchange) How does strongswan behave in
> this case ? will it delete the IKE and try to recreate the IKE & child
> again?
No. The CHILD_SA does not get created, but no further actions follow.
The existing IKE_SA and its child(ren) stay as they are.
There is a global strongswan.conf option called
charon.close_ike_on_child_failure, but this closes the IKE_SA only if
establishing the initial CHILD_SA fails during IKE_AUTH.
> Scenario-2--> Alreday <N> child SA are created and peer doesn't support
> N+1th child SA under the given IKE (is it possible to enforce such
> restriction?)
strongSwan does not have such a limit.
> How does strongswan behave in this case ? will it delete the IKE and
> all the child SA under that IKE and try to recreate the IKE & child SAs
> again?
No, same behavior as in Scenario 1.
> Scenario-3--> Reject IKE rekeying request using CREATE_CHILD_SA from
> the peer How does strongswan behave in this case ? will it delete the
> IKE and all the child SA under that IKE and try to recreate the IKE &
> child SAs again?
Yes. If IKE_SA rekeying gets rejected, charon starts re-authentication.
This means it closes the IKE_SA with all CHILD_SAs, then recreates the
IKE_SA with all previously established CHILD_SAs.
> Scenario-4 --> In case of 1-IKE and multiple child-SA configuration, if
> the peer rejects the rekey request for any of child(ESP) SA with
> "NO_ADDITIONAL_SAS" How does strongswan behave in this case ?
It will trigger a reauthentication, identical to Scenario 3.
Regards
Martin
More information about the Users
mailing list