Hi, > Suppose If the IKE has multiple CHILD_SA's (one IKE, under that multiple > CHILD_SA's) , deleting & creating of the IKE (deleting all CHILD_SA's > too) as affect the traffic on other CHILD_SA's too. In that case how to > handle that situation.
As said, if an implementation can handle multiple CHILD_SAs, I don't see why it should not support CHILD_SA rekeying. This is also implied in the text in RFC 5996: > The responder sends a NO_ADDITIONAL_SAS notification to indicate that > a CREATE_CHILD_SA request is unacceptable because the responder is > unwilling to accept any more Child SAs on this IKE SA. This > notification can also be used to reject IKE SA rekey. Some minimal > implementations may only accept a single Child SA setup in the > context of an initial IKE exchange and reject any subsequent attempts > to add more. Usually if an implementation sends NO_ADDITIONAL_SAs, it either does not want to have more CHILD_SAs on a single IKE_SA, or it does not support the creation and rekeying of CHILD_SAs outside of IKE_AUTH. Of course our behavior could be changed, but I really see no reason why we should do so. Regards Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
