ikev1: Allow immediate deletion of rekeyed CHILD_SAs

When charon rekeys a CHILD_SA after a soft limit expired, it is only
deleted after the hard limit is reached.  In case of packet/byte limits
this may not be the case for a long time since the packets/bytes are
usually sent using the new SA.  This may result in a very large number of
stale CHILD_SAs and kernel states.  With enough connections configured this
will ultimately exhaust the memory of the system.

This patch adds a strongswan.conf setting that, if enabled, causes the old
CHILD_SA to be deleted by the initiator after a successful rekeying.

Enabling this setting might create problems with implementations that
continue to use rekeyed SAs (e.g. if the DELETE notify is lost).

0 files changed, 0 insertions, 0 deletions