Re: [Ipsec-tools-devel] deleting SAc after isakmp delete-sa

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Paul Moore wrote:
> If I do (transport mode)
> 
> racoonctl delete-sa isakmp ...
> 
> the following things happen
> 
> a) the phase 1 gets closed and the far side gets informed
> 
> b) the local phase 2 SAs get deleted but the far side is not told
> 
> Now if the far side tries to talk to me it will fail because it thinks
> the SAs are still good.
> 
> So either
> 
> a) Racoon must not delete the local SAs
> 
> or
> 
> b) Racoon  must send delete notifications when it does delete them
> 
> Note that option (c) = delete local SAs when receive phase1 delete, is
> not OK.
> 
> (a) or (b) are equally easy to implement - which one is the correct one
> to do?

Technically (a) would look like the correct thing, as IPsec SA:s are not
tied to ISAKMP SA:s. However, from practical point of view, if you delete
all ISAKMP SA:s you do that usually to flush everything. So in practice
it would make sense to delete also all IPsec SA:s. So I'd probably go with
(b).

- Timo