[Swan-dev] Behaviour around Delete/Notify: two problems for the price of one.
Paul Wouters
paul at nohats.ca
Sat Jul 2 15:21:39 UTC 2016
I've observed the following behaviour:
east and west both have auto=add in the config file.
you run ipsec auto --up on west.
then you run ipsec auto --down on east
What happens:
- east goes down and removes the IKE and IPsec SA
- west deletes the IKE SA, and reschedules the IPsec SA for 1 minute
replace.
So between east and west, now one IPsec SA lingers on west
One minute later, west creates a new IKE SA to bring up the IPsec SA.
East responds and oth end up with an IKE and IPsec SA.
If east had done ipsec auto --delete, west would end up retrying
indefinitely/
Now, in IKEv2 both ends end up without any IKE SA or IPsec SA.
Clearly we should be consistent independent of IKE version.
It all depends on what the meaning of auto=add with an ipsec auto --up
really means. Is this the same as "auto=start" meaning "always try to
keep this up"? If so, if the other end sends a delete, shouldn't we
immediately establish a new IKE SA, instead of waiting one minute?
And if the auto=add side sends an ipsec auto --down, does that mean it
will accept a request to immediately go up? That would also be weird.
So, I'm open for input :)
Paul
More information about the Swan-dev
mailing list