Hi SK, just upgrade to the latest strongSwan 5.3.0 stable release which introduces make-before-break reauthentication for the charon daemon.
Best regards Andreas On 13.04.2015 23:48, SM K wrote:
Hi All, I am seeing a problem with a cisco891 connected to strongswan 5.1.3 using IKEv1. It seems like a cisco problem, but i did not see this problem with strongswan 4.x matbe because the older strongswan handled it a different way. I notice the problem when the cisco attempts reauthentication of phase1. It seems that the existing phase1 is first down-ed before the new one is created. In most other firewalls, i see that a new phase1 is created before the old one is killed. The problem with how the cisco891 does this is that when phase1 that is being reauthenticated is deleted, the phase2s are also killed on strongswan. But these phase2 still exist on the cisco and it is actively sending data on this. When the new phase1 is created, strongswan ofcourse does have any phase2s to adopt. So we have the cisco out-of-sync with strongswan. Is there anyway to workaround this in strongswan? I also noticed that when the child SAs are killed when a phase1 goes down, it does not send a delete message to the other side. Shouldn't the full delete process for the child SA be followed so that the other side also deletes its phases2s? thanx in advance, SK _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
-- ====================================================================== Andreas Steffen [email protected] strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
