[strongSwan] Rejecting traffic with invalid spi

Sebastiano Degan sebdeg87 at gmail.com
Fri Apr 13 14:44:21 CEST 2018

Using strongswan 5.6.1, we set up a site-to-site vpn with a Cisco ASA, not
sure about the specific model.

What happens from time to time is that the phase 2 SA is deleted on our
side, but the ASA will keep sending packets using the old spi, never
realizing those packets are all lost.

My understanding is that DPD works only for phase 1 SA, so the peer is
always considered UP, but the actual data is dropped since no matching
policy is found.

At the moment manually reboot out server, so DPD is triggered an the
connections are re-established.

Is there an automatic and more elegant way to deal with this problem?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180413/c1fbee75/attachment.html>

More information about the Users mailing list