[strongSwan] Broken CHILD_SA following IKE_SA re-auth with FortiGate remote
Tobias Brunner
tobias at strongswan.org
Tue Aug 30 10:40:54 CEST 2016
Hi Tore,
> I was under the impression that enabling "charon.make_before_break"
> would only alter how strongSwan behaves when it is the party initiating
> the re-authentication procedure.
Correct.
> In the initiator case, I wouldn't have
> thought there was any need for such heuristics and assumptions, as
> strongSwan should have full knowledge of which old SAs are indeed
> duplicates and therefore should be deleted after the new SAs are
> installed.
Correct.
> You appear to be talking about the responder role, however. What I'm
> not clear about is how exactly does enabling "charon.make_before_break"
> affect strongSwan's behaviour during a re-authentication procedure when
> in the responder role?
Not at all.
> I find it rather nonintuitive that enabling "charon.make_before_break"
> would cause any change at all to strongSwan's responder role behaviour,
> to be honest.
It doesn't.
> Specifically, I don't really understand how the use of the
> "charon.make_before_break" method in strongSwan could possibly prevent
> the remote IKE peer from initiating and performing a "break before
> make" style re-authentication (or vice versa).
It can't.
Regards,
Tobias
More information about the Users
mailing list