[Swan-dev] [Swan-commit] Changes to ref refs/heads/master
Paul Wouters
paul at nohats.ca
Tue Aug 25 17:02:29 EEST 2015
On Tue, 25 Aug 2015, D. Hugh Redelmeier wrote:
> | IKEv1: Remove all IPsec SA's of a connection when newest SA is removed.
> |
> | This behaviour is similar to "ipsec auto --down connection-name"
> |
> | This resolves an interop issue with Cisco where after a brief outage,
> | sometimes the connection results in two IPsec SA's being established. In
> | this case, after sometime, the cisco router sends an ISAKMP Delete/Notify
> | message to delete one of the IPsec SAs. If the removed IPsec SA is the
> | first SA, it will be fine. But if the removed IPsec SA is the newest SA,
> | the IPsec tunnel state is set to "perspective eroute". And now traffic
> | between the Cisco and libreswan on the ipsec tunnel is blocked.
>
> It isn't obvious to me that this is a good change in behaviour or a
> correct change. Nor is it obviously bad.
>
> Why should deleting one SA delete another?
Because the current SA being deleted _already_ replaced the older SA
that we just kept lingering for a bit? We are not talking about a second
tunnel here (from what I understand)
> Will deleting the SA generate a delete notification from us? (Deleting
> without notification seems like a bad idea.)
I think we already sent a delete for it? We are sending a regular delete
for the one we are deleting just now.
> Is there any support in the RFCs for any of this?
I'm not sure.
Paul
More information about the Swan-dev
mailing list