Hello! I've been struggeling alot lately with isakmpd net to net to a strongswan (nat-t) client. Isakmpd tells strongswan to delete the SA after a while.
I've gotten great help from one of the strongswan developers which came up with this. isakmpd sends deletes for expired IKE_SAs over the latest active SA with a specific peer. In strongSwan there is currently no check that the SPIs in the DELETE payload with protocol ISAKMP actually matches those of the current SA, it simply assumes a DELETE on the current SA is to delete that SA. But according to RFC 2408 what isakmpd does is not really compliant: "Deletion which is concerned with an ISAKMP SA will contain a Protocol-Id of ISAKMP and the SPIs are the initiator and responder cookies from the ISAKMP Header.", so no other SPIs are allowed than those of the current SA. Any ideas? Best regards Martin
