On Fri, 8 May 2015 14:45:49 +0300 Timo Teras <[email protected]> wrote:
> Please disregard the below. > > Racoon does support IKE_SA deletion. It seems there was somehow a > mismatch on the CHILD_SAs the racoon side initiated, and what > strongSwan initiated. It's slightly curious how that resulted in total > disconnect, but it might've been related to other scripts I use. > > Also that patch posted, does not probably work correctly unless > additional REKEYED state is introduced to IKE_SA and marked as such > when childs have been adopted - otherwise the IKE_SA rekeyed by > remote, will be rekeyed again by us. > > I'll investigate more. Once more on this topic. What happens is when racoon rekeys, is that strongSwan detects rekeying and posts the adopt_children_job. It will also delete the IKE_SA silently -> that is, no ISAKMP_DELETE notification is sent to racoon. This is why racoon considers DPD triggers, and once it detects the IKE_SA dead, it will flush all other IKE_SAs and CHILD_SAs away. While it is racoon bug that it does not check for other valid IKE_SAs for the same peer -- I think strongSwan should be improved to send ISAKMP_DELETE notification once it decides to delete the IKE_SA as result of rekeying. Or back to the point of my previous mail, of not deleting the IKE_SA at all, but letting it expire 'naturally'. Any thoughts? Thanks, Timo _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
