[strongSwan] charon not sending DELETE payload

Gupta, Rohan 1. (NSN - IN/Bangalore) rohan.1.gupta at nsn.com
Wed Apr 2 10:37:00 CEST 2014


I tried using this command but the output suggests that Phase 1(IKE_SA) is also getting re-negotiated. 

Is it possible to use this command to trigger re-negotiation of phase-2(CHILD_SA) only?

# ipsec down r1~v1
deleting IKE_SA r1~v1[1] between[(vr*)]...[(vr*)]
sending DELETE for IKE_SA r1~v1[1]
generating INFORMATIONAL request 0 [ D ]
sending packet: from [500] to [500]
received packet: from [500] to [500]
parsed INFORMATIONAL response 0 [ ]
IKE_SA deleted


-----Original Message-----
From: ext Andreas Steffen [mailto:andreas.steffen at strongswan.org] 
Sent: Wednesday, April 02, 2014 1:00 PM
To: Gupta, Rohan 1. (NSN - IN/Bangalore); users at lists.strongswan.org
Subject: Re: [strongSwan] charon not sending DELETE payload

Hi Gupta,

if you are using the setkey command which is part of the ipsec-tools
package to flush a CHILD_SA in the kernel then you cannot expect the
strongSwan IKE daemon to take notice of this event. If you want
an IKE DELETE notify message to be generated then you must take down
the SA with the strongSwan command

   sudo ipsec down <connection name>{<requid>}

Best regards


On 02.04.2014 08:57, Gupta, Rohan 1. (NSN - IN/Bangalore) wrote:
> Hi,
> Recently during my testing of charon with strongswan version 4.3.1, I
> observed that after establishment of the tunnel if I flush the
> child_sa(or the phase 2 SA's) using setkey -F the DELETE payload is not
> sent to the peer.
> Due to this the peer doesn't delete its child_sa and keeps on sending
> traffic with the old SA.
> I have gone through the RFC and found the flowing line
> "/If an IKE endpoint chooses to/
> /   delete CHILD_SAs, it MUST send Delete payloads to the other end/
> /   notifying it of the deletion/"
> Is the above statement applicable for this scenario?
> Can anyone help on what might be wrong?
> Thanks,
> Rohan
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Users mailing list