Hi Martin. Thanks for the response. Agreed re: DPD, rekeying etc for SA clean up. However, I'm not sure I understand the notion that the responder doesn't care about the non-functional SA. More so in terms of two-way traffic. If the responder needs to send traffic to the initiator how is that going to happen if the initiator always fails the authentication?
-----Original Message----- From: Martin Willi [mailto:[email protected]] Sent: Tuesday, January 17, 2012 3:56 AM To: Johnson, Eric C Cc: [email protected] Subject: Re: [strongSwan] Question regarding failed Child SA response Hi, > I just need some help understanding how\why either host fails to > recover from the failed Child SA response. It's not related to the CHILD_SA, but authentication fails at the initiator because the identity constraint is not fulfilled. The IKEv2 protocol does not specify a mechanism to send an AUTHENTICATION_FAILED in this situation, as the exchange is complete. The best option probably would be to send a DELETE for the failed IKE_SA, but we currently don't do it. Maybe I'll implement it some day, but it is not top priority for me. It doesn't happen that much in the wild, and often the responder does not care about the non-functional SA. It will get deleted by some other mechanisms (DPD, rekeying or INITIAL_CONTACT). Regards Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
