[Swan-dev] shared IKE SA interop bug with cisco
Paul Wouters 🔓
paul at nohats.ca
Sun Nov 30 21:23:26 EET 2014
On Fri, 28 Nov 2014, Matt Rogers wrote:
>> Matt wrote the problem below. I am still confused what exactly is
>> happening and why we would need his patch for this. I would think
>> that if we --down tunnelA we should notice the phase1 is still used
>> by tunnelB and leave/move it around instead?
>>
>
> The use of preferred_ike is really just to manually work around this cisco quirk,
> and it's kind of a corner case. What you described above may be a better
> solution (it doesn't happen that way now) but in practice I don't know if
> it would help avoid the cisco behavior like preferred_ike does.
I don't think it is a corner case. It is a bug on our end. We have one
parent that has two children and we delete one child. We shouldn't shoot
the parent.
With IKEv1, that is forgivable, as the orphaned child will create a new
parent once it needs to send IKE messages, where apparently Cisco has a
bug in its equivalent code.
With IKEv2, shooting the parent means deleting all its IPsec SA
children, so it becomes even more wrong.
Paul
More information about the Swan-dev
mailing list