[strongSwan] Windows XP sends DELETE
mark+strongswan at mdsh.com
Mon Jun 3 12:38:18 CEST 2019
Thanks for your reply, Tomias.
On 03/06/2019 10:29, Tobias Brunner wrote:
> I guess the "trick" of older *Swans (that use the pluto daemon) was that
> they completely ignored IKEv1 DELETE payloads (strongSwan did so too
> before 5.0.0). So unless you are willing to either use an old
> unsupported strongSwan version, or patch the current code so it ignores
> DELETEs too, there isn't anything you can do if the peer insists on
> deleting the IKE_SA (for IKEv1 there is technically no hard relation
> between IKE and IPsec SA, so the latter can exist fine if the former is
> terminated, however, that's not how strongSwan 5+ handles this).
If I'm understanding your email correctly, you are saying that Windows
XP's built-in IPSec is incompatible with StrongSwan 5+ and here is no
way around this. There is no configuration option to say "keep IPsec SA
up after IKE has been deleted" and there is no known way to stop Windows
XP's built-in IPSec from sending that delete request.
Okay - that gives me some ammunition to fire back at The Powers That Be.
More information about the Users