| From: Paul Wouters <[email protected]> | On Tue, 25 Aug 2015, D. Hugh Redelmeier wrote:
| > Off the top of my head, without due diligence, I would say that if one SA | > is deleted, and it is the eroute owner, and there is an identical SA, it | > should be made the eroute owner. | | But i think the "replaced" SA is not used anymore by the other end. | Making it the eroute owner I assume we would expect the remote peer | to suddenlt start encrypting to us with a different key? I am pretty | sure they won't do that. Surely if the other side (1) does delete notifications, and (2) has not issued a delete notification for this SA, the the SA should be legit. And yes, I would assume that the other SA has its own key. That's their nature. If I remember correctly, an IKE system only deletes inbound SAs. It just stops using outbound ones. Of course the inbound SA bundle and outbound SA bundle are paired pretty tightly in IKE (not IPSec). Am I missing something? _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
