On Tue, 25 Aug 2015, D. Hugh Redelmeier wrote:
| IKEv1: Remove all IPsec SA's of a connection when newest SA is removed.
|
| This behaviour is similar to "ipsec auto --down connection-name"
|
| This resolves an interop issue with Cisco where after a brief outage,
| sometimes the connection results in two IPsec SA's being established. In
| this case, after sometime, the cisco router sends an ISAKMP Delete/Notify
| message to delete one of the IPsec SAs. If the removed IPsec SA is the
| first SA, it will be fine. But if the removed IPsec SA is the newest SA,
| the IPsec tunnel state is set to "perspective eroute". And now traffic
| between the Cisco and libreswan on the ipsec tunnel is blocked.
It isn't obvious to me that this is a good change in behaviour or a
correct change. Nor is it obviously bad.
Why should deleting one SA delete another?
Because the current SA being deleted _already_ replaced the older SA
that we just kept lingering for a bit? We are not talking about a second
tunnel here (from what I understand)
Will deleting the SA generate a delete notification from us? (Deleting
without notification seems like a bad idea.)
I think we already sent a delete for it? We are sending a regular delete
for the one we are deleting just now.
Is there any support in the RFCs for any of this?
I'm not sure.
Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
