On Sun, Jun 7, 2015 at 12:21 AM, Noam Lampert <[email protected]> wrote:
> ends a delete I had a similar problem with cisco 891 firewalls, when it reauths the IKE SA. It deleted the expired IKE SA before creating a new one. But the delete of the IKE SA deletes the child SAs on strongswan (kinda silently). The firewall however continues to use the child SA. If the firewall had created the new IKE SA before deleting the old one, the child SAs would have been adopted by the new IKE SA and everything would be dandy. In my setup, I fixed it by adding a check that if an IKE SA being deleted has child SAs, the delete returns a success without deleting the IKE SA. When the new IKE SA is created, it adopts the previous IKE SAs children and replaces the old one. -sk
_______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
