Re: [Ipsec-tools-devel] SA expiry question

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Paul Moore wrote:
> When racoon receives an expiry notification from the kernel , it deletes
> the SA from its ph2tree. Should it tell the peer or not. Today it does
> not
> 
> I ask because windows does tell its peer, it sends an info delete

The specs are pretty vague on this one. When the SA expires, it is
implied that the SA will be deleted. However, according to the spec,
delete payload is a notification that the sender of the message has
deleted the SA, so it would be ok to send it.

Do note that, currently I think the SA is removed from ph2tree when
it soft expires. You should not send delete payload until the SA
hard expires.

Cheers,
  Timo