Hi, > I just need some help understanding how\why either host fails to > recover from the failed Child SA response.
It's not related to the CHILD_SA, but authentication fails at the initiator because the identity constraint is not fulfilled. The IKEv2 protocol does not specify a mechanism to send an AUTHENTICATION_FAILED in this situation, as the exchange is complete. The best option probably would be to send a DELETE for the failed IKE_SA, but we currently don't do it. Maybe I'll implement it some day, but it is not top priority for me. It doesn't happen that much in the wild, and often the responder does not care about the non-functional SA. It will get deleted by some other mechanisms (DPD, rekeying or INITIAL_CONTACT). Regards Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
