On Fri, 28 Nov 2014, Matt Rogers wrote:
Matt wrote the problem below. I am still confused what exactly is
happening and why we would need his patch for this. I would think
that if we --down tunnelA we should notice the phase1 is still used
by tunnelB and leave/move it around instead?
The use of preferred_ike is really just to manually work around this cisco
quirk,
and it's kind of a corner case. What you described above may be a better
solution (it doesn't happen that way now) but in practice I don't know if
it would help avoid the cisco behavior like preferred_ike does.
I don't think it is a corner case. It is a bug on our end. We have one
parent that has two children and we delete one child. We shouldn't shoot
the parent.
With IKEv1, that is forgivable, as the orphaned child will create a new
parent once it needs to send IKE messages, where apparently Cisco has a
bug in its equivalent code.
With IKEv2, shooting the parent means deleting all its IPsec SA
children, so it becomes even more wrong.
Paul
_______________________________________________
Swan-dev mailing list
Swan-dev@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-dev
