| commit ecb9c88910df1fb070488835bf3180096f3ccba3 | Author: CHEN, JIANFU (RC-CA) <[email protected]> | Date: Tue Aug 18 10:08:55 2015 -0400 | | IKEv1: Remove all IPsec SA's of a connection when newest SA is removed. | | This behaviour is similar to "ipsec auto --down connection-name" | | This resolves an interop issue with Cisco where after a brief outage, | sometimes the connection results in two IPsec SA's being established. In | this case, after sometime, the cisco router sends an ISAKMP Delete/Notify | message to delete one of the IPsec SAs. If the removed IPsec SA is the | first SA, it will be fine. But if the removed IPsec SA is the newest SA, | the IPsec tunnel state is set to "perspective eroute". And now traffic | between the Cisco and libreswan on the ipsec tunnel is blocked.
It isn't obvious to me that this is a good change in behaviour or a correct change. Nor is it obviously bad. Why should deleting one SA delete another? Will deleting the SA generate a delete notification from us? (Deleting without notification seems like a bad idea.) Perhaps the correct fix is to change the eroute the old SA rather than deleting the SA. (I've not thought carefully about this.) Is there any support in the RFCs for any of this? (I haven't read the code, just this commit message.) _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
