[Swan-dev] Behaviour around Delete/Notify: two problems for the price of one.

Paul Wouters paul at nohats.ca
Sat Jul 2 15:44:21 UTC 2016

On Sat, 2 Jul 2016, Paul Wouters wrote:

> Clearly we should be consistent independent of IKE version.
> It all depends on what the meaning of auto=add with an ipsec auto --up
> really means. Is this the same as "auto=start" meaning "always try to
> keep this up"? If so, if the other end sends a delete, shouldn't we
> immediately establish a new IKE SA, instead of waiting one minute?
> And if the auto=add side sends an ipsec auto --down, does that mean it
> will accept a request to immediately go up? That would also be weird.
> So, I'm open for input :)

strongswan always deletes both IKE and IPsec SA's (with auto=add and
auto=start), meaning the endpoint configured with auto=start can be "shut
down" by the other endpoint. I do not think that is the correct behaviour.


More information about the Swan-dev mailing list