[Swan-dev] Behaviour around Delete/Notify: two problems for the price of one.

Paul Wouters paul at nohats.ca
Sat Jul 2 15:21:39 UTC 2016

I've observed the following behaviour:

east and west both have auto=add in the config file.
you run ipsec auto --up on west.
then you run ipsec auto --down on east

What happens:
- east goes down and removes the IKE and IPsec SA
- west deletes the IKE SA, and reschedules the IPsec SA for 1 minute

So between east and west, now one IPsec SA lingers on west

One minute later, west creates a new IKE SA to bring up the IPsec SA.
East responds and oth end up with an IKE and IPsec SA.

If east had done ipsec auto --delete, west would end up retrying

Now, in IKEv2 both ends end up without any IKE SA or IPsec SA.

Clearly we should be consistent independent of IKE version.

It all depends on what the meaning of auto=add with an ipsec auto --up
really means. Is this the same as "auto=start" meaning "always try to
keep this up"? If so, if the other end sends a delete, shouldn't we
immediately establish a new IKE SA, instead of waiting one minute?

And if the auto=add side sends an ipsec auto --down, does that mean it
will accept a request to immediately go up? That would also be weird.

So, I'm open for input :)


More information about the Swan-dev mailing list