[prev in list] [next in list] [prev in thread] [next in thread]
List: strongswan-users
Subject: Re: [strongSwan] Behavior on receiving NO_ADDITIONAL_SAS
From: Martin Willi <martin () strongswan ! org>
Date: 2013-02-28 11:59:46
Message-ID: 1362052786.2900.23.camel () martin
[Download RAW message or body]
Hi,
> Scenario-1--> No child SA allowed using CREATE_CHILD_SA (apart from the
> one created during the AUTH exchange) How does strongswan behave in
> this case ? will it delete the IKE and try to recreate the IKE & child
> again?
No. The CHILD_SA does not get created, but no further actions follow.
The existing IKE_SA and its child(ren) stay as they are.
There is a global strongswan.conf option called
charon.close_ike_on_child_failure, but this closes the IKE_SA only if
establishing the initial CHILD_SA fails during IKE_AUTH.
> Scenario-2--> Alreday <N> child SA are created and peer doesn't support
> N+1th child SA under the given IKE (is it possible to enforce such
> restriction?)
strongSwan does not have such a limit.
> How does strongswan behave in this case ? will it delete the IKE and
> all the child SA under that IKE and try to recreate the IKE & child SAs
> again?
No, same behavior as in Scenario 1.
> Scenario-3--> Reject IKE rekeying request using CREATE_CHILD_SA from
> the peer How does strongswan behave in this case ? will it delete the
> IKE and all the child SA under that IKE and try to recreate the IKE &
> child SAs again?
Yes. If IKE_SA rekeying gets rejected, charon starts re-authentication.
This means it closes the IKE_SA with all CHILD_SAs, then recreates the
IKE_SA with all previously established CHILD_SAs.
> Scenario-4 --> In case of 1-IKE and multiple child-SA configuration, if
> the peer rejects the rekey request for any of child(ESP) SA with
> "NO_ADDITIONAL_SAS" How does strongswan behave in this case ?
It will trigger a reauthentication, identical to Scenario 3.
Regards
Martin
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic