[strongSwan] Broken CHILD_SA following IKE_SA re-auth with FortiGate remote

Tobias Brunner tobias at strongswan.org
Mon Aug 22 10:56:38 CEST 2016

Hi Tore,

> - Is the strongSwan behaving correctly when it is also deleting the ESP
>   CHILD_SA when receiving the DELETE IKE_SA from the FortiGate, instead
>   of "moving" it to the other active IKE_SA as it appears the FortiGate
>   has done? RFC4306, section 2.4 says the following:
>   ¬ęClosing the IKE_SA implicitly closes all associated CHILD_SAs.
>   ...but this doesn't mention the corner case where there are two
>   parallel CHILD_SAs, as was the case for us.

I don't see any corner case.  Each of these CHILD_SAs belongs to exactly
one IKE_SA.  If the corresponding IKE_SA is closed so is the CHILD_SA.

> - Why does the strongSwan rekey by first deleting the existing IKE_SA
>   and then initiating a new one, instead of the other way around? This
>   seems to me to be a violation of RFC4306, section 2.8, paragraph 4:

Because that's not a rekeying but a reauthentication.  Please read [1].


[1] https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey

More information about the Users mailing list