[strongSwan] charon not sending DELETE payload

Andreas Steffen andreas.steffen at strongswan.org
Wed Apr 2 09:30:18 CEST 2014

Hi Gupta,

if you are using the setkey command which is part of the ipsec-tools
package to flush a CHILD_SA in the kernel then you cannot expect the
strongSwan IKE daemon to take notice of this event. If you want
an IKE DELETE notify message to be generated then you must take down
the SA with the strongSwan command

   sudo ipsec down <connection name>{<requid>}

Best regards


On 02.04.2014 08:57, Gupta, Rohan 1. (NSN - IN/Bangalore) wrote:
> Hi,
> Recently during my testing of charon with strongswan version 4.3.1, I
> observed that after establishment of the tunnel if I flush the
> child_sa(or the phase 2 SA’s) using setkey –F the DELETE payload is not
> sent to the peer.
> Due to this the peer doesn’t delete its child_sa and keeps on sending
> traffic with the old SA.
> I have gone through the RFC and found the flowing line
> “/If an IKE endpoint chooses to/
> /   delete CHILD_SAs, it MUST send Delete payloads to the other end/
> /   notifying it of the deletion/”
> Is the above statement applicable for this scenario?
> Can anyone help on what might be wrong?
> Thanks,
> Rohan
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140402/387fa53b/attachment.bin>

More information about the Users mailing list