[strongSwan] [strongSwan-dev] problem with a cisco891 after reauthentication
Tobias Brunner
tobias at strongswan.org
Wed Apr 15 09:43:23 CEST 2015
Hi,
> Are IKEv1s are expected to break all connections before making a new one?
> Or
> Are they expected to make a new one before breaking the old one.
The latter, but that's just how charon expects it. ISAKMP as such does
not require a Ph1 SA between peers that have Ph2 SAs (see [1]).
> 1. Ignore an Phase 1 delete if it still has phase2s. This is for IKEv1
> only since we are testing with ikev1 firewalls only.
> 2. Instead of silently deleting Phase2s, do a proper delete that sends
> out a DELETE to the other side. Would this be difficult to implement?
2 will only work if the SAs are recreated again automatically (e.g. if
you use auto=route). But it's definitely more difficult to implement.
So I'd try 1 first.
Regards,
Tobias
[1] https://tools.ietf.org/html/draft-jenkins-ipsec-rekeying-06#section-3.3
More information about the Users
mailing list