[strongSwan] Charon IKEv1 rekeying?

Andreas Ntaflos daff at pseudoterminal.org
Thu May 9 00:43:44 CEST 2013


On 2013-05-03 10:36, Gerald Richter - ECOS wrote:
> Hi,
> 
> during the debugging of IKEv1 rekeying I found out that the old
> IKE_SA gets deleted before the new on is fully established.
[...]
> So from my point of view the local deletion of the ike_sa needs to be
> delayed after the new ike_sa is fully established.
> 
> Any comments?

Hi,

I can't comment much except that I believe I am seeing the same problem.
StrongSwan 5.0.3 with IKEv1 against a Cisco ASA (over which I have no
control at all).

I tried setting "uniqueids = no" (as per the previous discussions on the
topic) but that doesn't seem to help much.

In the logs this looks like this with "uniqueids = no":
http://pastie.org/pastes/7820117/text?key=rdfidtfi8cogiglommtoq

With "uniqueids = yes":
http://pastie.org/pastes/7820136/text?key=rmcgqev4atibcsjipf5rfw

In both cases I have to do "ipsec up theconnection" to start it again.

Andreas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130509/715e1b53/attachment.pgp>


More information about the Users mailing list