Thank you Tobias, Option 1 (ignore a phase1 delete) worked for me. regards, SK
On Wed, Apr 15, 2015 at 12:43 AM, Tobias Brunner <[email protected]> wrote: > Hi, > > > Are IKEv1s are expected to break all connections before making a new one? > > Or > > Are they expected to make a new one before breaking the old one. > > The latter, but that's just how charon expects it. ISAKMP as such does > not require a Ph1 SA between peers that have Ph2 SAs (see [1]). > > > 1. Ignore an Phase 1 delete if it still has phase2s. This is for IKEv1 > > only since we are testing with ikev1 firewalls only. > > 2. Instead of silently deleting Phase2s, do a proper delete that sends > > out a DELETE to the other side. Would this be difficult to implement? > > 2 will only work if the SAs are recreated again automatically (e.g. if > you use auto=route). But it's definitely more difficult to implement. > So I'd try 1 first. > > Regards, > Tobias > > [1] > https://tools.ietf.org/html/draft-jenkins-ipsec-rekeying-06#section-3.3 > >
_______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
