Hey, We are having trouble building a steady connection with a Palo Alto device. The Palo Alto supports only IKEv1. When the IKE-SA expires on the Palo-Alto device, it sends a delete-SA. This causes strongswan to delete the child-SAs negotiated with that IKE SA, but the Palo Alto continues to use those CHILD-SAs to send traffic until they expire as well (which can be quite some time).
What do you think? Is this a bug in strongswan or in Palo Alto? Can you point me to the relevant RFC excerpts? Thanks, Noam
_______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
