[Swan-dev] Behaviour around Delete/Notify: two problems for the price of one.

Paul Wouters paul at nohats.ca
Mon Jul 4 16:57:26 UTC 2016

On Sat, 2 Jul 2016, Paul Wouters wrote:

>>  Clearly we should be consistent independent of IKE version.
>>  It all depends on what the meaning of auto=add with an ipsec auto --up
>>  really means. Is this the same as "auto=start" meaning "always try to
>>  keep this up"? If so, if the other end sends a delete, shouldn't we
>>  immediately establish a new IKE SA, instead of waiting one minute?
>>  And if the auto=add side sends an ipsec auto --down, does that mean it
>>  will accept a request to immediately go up? That would also be weird.
>>  So, I'm open for input :)

Which I still am, because I think we should not wait 60s before we start
trying again when we are configured to be "always up".


> strongswan always deletes both IKE and IPsec SA's (with auto=add and
> auto=start), meaning the endpoint configured with auto=start can be "shut
> down" by the other endpoint. I do not think that is the correct behaviour.

This new keyword in strongswan seems related:

        closeaction = none | clear | hold | restart
               defines the action to  take  if  the  remote  peer unexpectedly
               closes  a  CHILD_SA  (see  dpdaction  for meaning of values).  A
               closeaction should not be used if the peer uses reauthentication
               or  uniquids checking, as these events might trigger the defined
               action when not desired.

It seems even more of a pandora's box.

I would say if auto=start or auto=add + ipsec auto --up, and
rekey=yes, it should attempt to bring up a new tunnel upon receiving
delete/notify. Ideally, it should postpone the delete or install a %hold
shunt. I prefer postpone the delete - it is basically a shunt already.
Then we could leave the current 60s dying behaviour in place?


More information about the Swan-dev mailing list