Issue #3097
charon restart behaviour
Description
This is a query regarding charon restart behaviour while running as a responder. The scenario is like below:
- IPSEC SA established between initiator and responder
- both initiator and responder are exchanging DPD INFORMATIONAL messages
- Responder system crashes, restarts and charon daemon is restarted.
- Initiator is in DPD detection phase.
- The new charon daemon on responder receives DPD INFORMATION messages from initiator and looks like, ignores it
- The SA (data path) is dead until the initiator completes the DPD phase and initiates a new SA request.
So my questions is
- Is there anyway for the responder to trigger the "connection close" (after it restarts) when it receives a DPD information request from initiator ?
History
#1 Updated by Tobias Brunner about 2 years ago
- Status changed from New to Feedback
- Is there anyway for the responder to trigger the "connection close" (after it restarts) when it receives a DPD information request from initiator ?
No, it doesn't know anything about the previous SAs (SPIs, key material etc.). And strongSwan doesn't return unencrypted INFORMATIONALs with INVALID_SPI notifies (which initiators would also have to handle somehow). It currently also doesn't support RFC 6290 or RFC 5723 (again, initiators would have to support these too).
#2 Updated by Krishnamurthy Daulatabad about 2 years ago
Thanks for the quick response. Is there any plan to implement RFC 6290 anytime soon?
#3 Updated by Tobias Brunner about 2 years ago
Is there any plan to implement RFC 6290 anytime soon?
Not at this moment.