[strongSwan] Broken CHILD_SA following IKE_SA re-auth with FortiGate remote
tobias at strongswan.org
Mon Aug 22 10:56:38 CEST 2016
> - Is the strongSwan behaving correctly when it is also deleting the ESP
> CHILD_SA when receiving the DELETE IKE_SA from the FortiGate, instead
> of "moving" it to the other active IKE_SA as it appears the FortiGate
> has done? RFC4306, section 2.4 says the following:
> «Closing the IKE_SA implicitly closes all associated CHILD_SAs.
> ...but this doesn't mention the corner case where there are two
> parallel CHILD_SAs, as was the case for us.
I don't see any corner case. Each of these CHILD_SAs belongs to exactly
one IKE_SA. If the corresponding IKE_SA is closed so is the CHILD_SA.
> - Why does the strongSwan rekey by first deleting the existing IKE_SA
> and then initiating a new one, instead of the other way around? This
> seems to me to be a violation of RFC4306, section 2.8, paragraph 4:
Because that's not a rekeying but a reauthentication. Please read .
More information about the Users