After rekey strongswan is not deleting old CHILD SA
After IPSec rekey successfully done, Ideally strongswan has to delete old SA and create new CHILD SA.
Its able to create new CHILD SA but not deleting old CHILD SA.
Its keep on adding all CHILD SA's.(ipsec statusall command is showing all CHILD SA's are active)
Que. Is there any option which will inform strongswan to delete old CHILD SA ?
#1 Updated by Martin Willi almost 6 years ago
- Category set to charon
- Status changed from New to Feedback
- Assignee set to Martin Willi
I assume you are talking about IKEv1 connections and Quick Mode rekeying?
Yes, not deleting superseded Quick Modes immediately is the expected behavior. With IKEv1, there is no guarantee that the peer is not using the old SA until it expires, so we have to keep it. Further, it is not possible to delete the superseded Quick Mode reliably: IKEv1 delete messages use unacknowledged INFORMATIONAL messages, we can't be sure that the peer actually receives that message. If not, we delete a Quick Mode on our side that the peer is potentially still using for sending traffic.
We therefore decided to keep rekeyed Quick Modes until they expire by lifetime. To avoid having them lingering around, make sure to use consistent lifetimes with your peer, and optionally consider adjusting rekeymargin.
#2 Updated by Manish Tiwari almost 6 years ago
Thanks for response but i am talking about IKEv2 .
After some observation i found Its deleting the unused IPSec SA's with Hard Lifetime.
So here My doubt is :
Why Strongswan is not deleting the unused SA's with soft lifetime ?
#3 Updated by Martin Willi almost 6 years ago
In IKEv2, strongSwan really should delete the old CHILD_SA just after creating a new one, and it definitely does here.
Please provide a log file excerpt that shows this issue. Is there a third party peer involved? What kernel backend are you using?