Hi, > If the responder rejects the CREATE_CHILD_SA request with a > NO_ADDITIONAL_SAS notification, the implementation MUST be capable of > instead deleting the old SA and creating a new one.
I'd say strongSwan is capable of doing that. But instead of just closing and recreating the CHILD_SA, we recreate the IKE_SA, too. I think there is one good reason to reject CHILD_SA rekeyings with NO_ADDITIONAL_SAs: If the implementation is very minimalistic and does not want to support this scenario. But if this is the case, to me it is very reasonable to assume that it doesn't support closing and recreating the CHILD_SA: it is almost the same exchange. So instead of trying to close and recreate the CHILD_SA after such a failure (which is likely to fail, too), we just recreate the IKE_SA (which should work). Regards Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
