The old code was doing roughly: #1 established as IKE SA #2 established as CHILD SA
and then | handling event EVENT_SA_REPLACE for parent state #1 | #3 schedule initiate IKE Rekey SA none to replace IKE# 1 - can't as network is down but keeps retrying | inserting event EVENT_SA_EXPIRE, timeout in 13.000 seconds for #1 - i.e., switch #1 from REPLACE to EXPIRE and then | #1: ISAKMP SA expired (LATEST!) - deletes all known children (i.e. #2, but not #3 - that's become a zombie) | #1: reschedule pending child #3 STATE_V2_REKEY_IKE_I of connection "road-east-x509-ipv4"[1] 192.1.2.23 - the parent is going away | inserting event EVENT_SA_REPLACE, timeout in 0.000 seconds for #3 - i.e, flips #3's event from retransmit to replace - deletes itself (#3) and this wakes up zombie #3 causing it to: #3: handling event EVENT_SA_REPLACE for child state - creates #4 to do full re-negotiation - deletes itself Since the new code deletes #3 (re-key state) while deleting #1 (original IKE SA) there is no #3 zombie state to bring back from the dead. Hence the connection dies. My guess is what should happen is: the #1 EXPIRE event (clearly it wasn't as wakes up the zombie state #3 causing it to replace REPLACE) should do the replace itself. Any thoughts. _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
