<table cellspacing="0" cellpadding="0" border="0" ><tr><td valign="top" style="font: inherit;"><DIV>Dear all,</DIV>
<DIV> I found a paragraph in RFC 4718 as follows,</DIV>
<DIV> IKEv2 does not have any special support for reauthentication.<BR> Reauthentication is done by creating a new IKE_SA from scratch (using<BR> IKE_SA_INIT/IKE_AUTH exchanges, without any REKEY_SA notify<BR> payloads), creating new CHILD_SAs within the new IKE_SA (without<BR> REKEY_SA notify payloads), and finally deleting the old IKE_SA (which<BR> deletes the old CHILD_SAs as well).</DIV>
<DIV> </DIV>
<DIV> Why will strongswan delete the old IKE_SA and Child_SA first when doing re-authentication? If I delete the old IKE_SA and Child_SA after the re-authentication process, is there anything I should take care, such as migration from old SA to new SA? Or just do re-authentication and delete old SA would work well? </DIV>
<DIV> </DIV>
<DIV>Thanks in advance!!</DIV>
<DIV> </DIV>
<DIV>B.R.</DIV>
<DIV>Jessie<BR></DIV>
<DIV><BR>--- <B>10/7/8 (四),Andreas Steffen <I><andreas.steffen@strongswan.org></I></B> 寫道:<BR></DIV>
<BLOCKQUOTE style="BORDER-LEFT: rgb(16,16,255) 2px solid; PADDING-LEFT: 5px; MARGIN-LEFT: 5px"><BR>寄件者: Andreas Steffen <andreas.steffen@strongswan.org><BR>主旨: Re: [strongSwan] What will Happen if Reauthentication Fail?<BR>收件者: "Jessie Liu" <iamnotjessie@yahoo.com.tw><BR>副本: users@lists.strongswan.org<BR>日期: 2010年7月8日,四,下午7:48<BR><BR>
<DIV class=plainMail>Hi Jessie,<BR><BR>reauthentication with IKEv2 is never overlapping. Always the IKE_SA<BR>together with any dependent CHILD_SAs is taken down first and then<BR>reauthentication starts from scratch. This means that there is always<BR>an interruption of the IPsec tunnel of about 1-2 seconds due to<BR>the reauthentication. If you don't want this, use IKE_SA rekeying<BR>which is overlapping.<BR><BR>Best regards<BR><BR>Andreas<BR><BR>On 08.07.2010 12:03, Jessie Liu wrote:<BR>> Dear all,<BR>> I have one question about reauthenticaion. What will happen if we do<BR>> the re-authentication as the initiator and the re-authentication process<BR>> failed?<BR>> Will strongswan destroy the tunnel first and then do re-authentication<BR>> but it failed, so the tunnel is down afterwards? Or will strongswan keep<BR>> the old SA and start to do re-authentication but it failed, and<BR>> strongswan will roll back to
the old SA and the tunnel is not affected?<BR>> <BR>> Thanks in advance!<BR>> <BR>> Best Regards,<BR>> Jessie<BR><BR>======================================================================<BR>Andreas Steffen <A href="http://tw.mc738.mail.yahoo.com/mc/compose?to=andreas.steffen@strongswan.org" ymailto="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</A><BR>strongSwan - the Linux VPN Solution! www.strongswan.org<BR>Institute for Internet Technologies and Applications<BR>University of Applied Sciences Rapperswil<BR>CH-8640 Rapperswil (Switzerland)<BR>===========================================================[ITA-HSR]==<BR><BR></DIV></BLOCKQUOTE></td></tr></table><br>