Project

General

Profile

Issue #763

After rekey strongswan is not deleting old CHILD SA

Added by Manish Tiwari almost 6 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
charon
Affected version:
5.2.1
Resolution:
No feedback

Description

After IPSec rekey successfully done, Ideally strongswan has to delete old SA and create new CHILD SA.

Its able to create new CHILD SA but not deleting old CHILD SA.

Its keep on adding all CHILD SA's.(ipsec statusall command is showing all CHILD SA's are active)

Que. Is there any option which will inform strongswan to delete old CHILD SA ?

History

#1 Updated by Martin Willi almost 6 years ago

  • Category set to charon
  • Status changed from New to Feedback
  • Assignee set to Martin Willi

Hi,

I assume you are talking about IKEv1 connections and Quick Mode rekeying?

Yes, not deleting superseded Quick Modes immediately is the expected behavior. With IKEv1, there is no guarantee that the peer is not using the old SA until it expires, so we have to keep it. Further, it is not possible to delete the superseded Quick Mode reliably: IKEv1 delete messages use unacknowledged INFORMATIONAL messages, we can't be sure that the peer actually receives that message. If not, we delete a Quick Mode on our side that the peer is potentially still using for sending traffic.

We therefore decided to keep rekeyed Quick Modes until they expire by lifetime. To avoid having them lingering around, make sure to use consistent lifetimes with your peer, and optionally consider adjusting rekeymargin.

Regards
Martin

#2 Updated by Manish Tiwari almost 6 years ago

Hi Martin,

Thanks for response but i am talking about IKEv2 .
After some observation i found Its deleting the unused IPSec SA's with Hard Lifetime.

So here My doubt is :
Why Strongswan is not deleting the unused SA's with soft lifetime ?

Best Regards,
Manish Tiwari

#3 Updated by Martin Willi almost 6 years ago

Hi,

In IKEv2, strongSwan really should delete the old CHILD_SA just after creating a new one, and it definitely does here.

Please provide a log file excerpt that shows this issue. Is there a third party peer involved? What kernel backend are you using?

Regards
Martin

#4 Updated by Tobias Brunner about 5 years ago

  • Status changed from Feedback to Closed
  • Resolution set to No feedback

Also available in: Atom PDF