Thank you for the clarification. Regards, Naveen
On Fri, Jul 22, 2022 at 5:27 AM Tobias Brunner <tob...@strongswan.org> wrote: > Hi Naveen, > > > I am seeing an issue, where i am > > seeing DELETE request for the rekeyed child sa before CHILD-SA rekey > > response , however the peer is sending child-sa rekey response first > > and than the delete, is it possible because of the network latency issue > > , if so how can i have a workaround for this issue. Because of this my > > current session is getting destroyed , I have make-before-break enabled > > as well. > > The problem is that the responder of a CHILD_SA rekeying should never > send a DELETE for the old CHILD_SA unless there was a rekey collision > that the responder actually won (i.e. both peers rekeyed the same > CHILD_SA concurrently, which is properly handled because the initiator > knows the peer initiated the winning SA). If we receive a DELETE for a > CHILD_SA outside of a rekey collision, we interpret that as request to > delete that CHILD_SA (and its possible successors). So please report > this flaw to the developers of the respective responder implementation. > > Regards, > Tobias >
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
