Hi Noam, > What is the correct behavior in IKEv1? Deleting the child-SAs when the > IKE SA gets deleted, or keeping them around until they expire?
Having Phase 2 SAs without Phase 1 SAs is fine with IKEv1 (see [1]). However, charon is mainly an IKEv2 daemon, where this is not the case. To simplify the implementation charon follows the "the continuous channel model" also for IKEv1 (and does not support the other model). That is, its current data model has CHILD_SAs logically attached to IKE_SAs and if an IKE_SA is terminated so are its CHILD_SAs. Regards, Tobias [1] https://tools.ietf.org/html/draft-jenkins-ipsec-rekeying-06#section-3.3 _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
