[strongSwan] charon not sending DELETE payload

Mikael Magnusson mikma264 at gmail.com
Thu Apr 3 16:30:46 CEST 2014


On 04/02/2014 09:30 AM, Andreas Steffen wrote:
> Hi Gupta,
>
> if you are using the setkey command which is part of the ipsec-tools
> package to flush a CHILD_SA in the kernel then you cannot expect the
> strongSwan IKE daemon to take notice of this event.

The same seems to happen if you use the ip command (from iproute).

 ip x s deleteall reqid <reqid>

> If you want
> an IKE DELETE notify message to be generated then you must take down
> the SA with the strongSwan command
>
>   sudo ipsec down <connection name>{<requid>}
>
> Best regards
>
> Andreas
>
> On 02.04.2014 08:57, Gupta, Rohan 1. (NSN - IN/Bangalore) wrote:
>> Hi,
>> Recently during my testing of charon with strongswan version 4.3.1, I
>> observed that after establishment of the tunnel if I flush the
>> child_sa(or the phase 2 SA's) using setkey --F the DELETE payload is not
>> sent to the peer.
>> Due to this the peer doesn't delete its child_sa and keeps on sending
>> traffic with the old SA.
>> I have gone through the RFC and found the flowing line
>> "/If an IKE endpoint chooses to/
>> /   delete CHILD_SAs, it MUST send Delete payloads to the other end/
>> /   notifying it of the deletion/"
>> Is the above statement applicable for this scenario?
>> Can anyone help on what might be wrong?
>> Thanks,
>> Rohan
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140403/6c2790a8/attachment.html>


More information about the Users mailing list