[strongSwan] Broken CHILD_SA following IKE_SA re-auth with FortiGate remote
Tobias Brunner
tobias at strongswan.org
Mon Aug 22 10:56:38 CEST 2016
Hi Tore,
> - Is the strongSwan behaving correctly when it is also deleting the ESP
> CHILD_SA when receiving the DELETE IKE_SA from the FortiGate, instead
> of "moving" it to the other active IKE_SA as it appears the FortiGate
> has done? RFC4306, section 2.4 says the following:
>
> «Closing the IKE_SA implicitly closes all associated CHILD_SAs.
>
> ...but this doesn't mention the corner case where there are two
> parallel CHILD_SAs, as was the case for us.
I don't see any corner case. Each of these CHILD_SAs belongs to exactly
one IKE_SA. If the corresponding IKE_SA is closed so is the CHILD_SA.
> - Why does the strongSwan rekey by first deleting the existing IKE_SA
> and then initiating a new one, instead of the other way around? This
> seems to me to be a violation of RFC4306, section 2.8, paragraph 4:
Because that's not a rekeying but a reauthentication. Please read [1].
Regards,
Tobias
[1] https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey
More information about the Users
mailing list