Hi, > Scenario-1--> No child SA allowed using CREATE_CHILD_SA (apart from the > one created during the AUTH exchange) How does strongswan behave in > this case ? will it delete the IKE and try to recreate the IKE & child > again?
No. The CHILD_SA does not get created, but no further actions follow. The existing IKE_SA and its child(ren) stay as they are. There is a global strongswan.conf option called charon.close_ike_on_child_failure, but this closes the IKE_SA only if establishing the initial CHILD_SA fails during IKE_AUTH. > Scenario-2--> Alreday <N> child SA are created and peer doesn't support > N+1th child SA under the given IKE (is it possible to enforce such > restriction?) strongSwan does not have such a limit. > How does strongswan behave in this case ? will it delete the IKE and > all the child SA under that IKE and try to recreate the IKE & child SAs > again? No, same behavior as in Scenario 1. > Scenario-3--> Reject IKE rekeying request using CREATE_CHILD_SA from > the peer How does strongswan behave in this case ? will it delete the > IKE and all the child SA under that IKE and try to recreate the IKE & > child SAs again? Yes. If IKE_SA rekeying gets rejected, charon starts re-authentication. This means it closes the IKE_SA with all CHILD_SAs, then recreates the IKE_SA with all previously established CHILD_SAs. > Scenario-4 --> In case of 1-IKE and multiple child-SA configuration, if > the peer rejects the rekey request for any of child(ESP) SA with > "NO_ADDITIONAL_SAS" How does strongswan behave in this case ? It will trigger a reauthentication, identical to Scenario 3. Regards Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
