<div dir="ltr">Thank you Tobias.<div><br><div>Honestly, I thought that for IKEv2 <span style="color:rgb(33,33,33)">multiple traffic selectors are</span> possible anyway. Also, I was confused about the subnets because with ipsec statusall it shows different rekey time values for different policies which include traffic selectors (ip.net1 === ip.net2). Strongswan also prints "creating rekey job for CHILD_SA ESP/0x12345678/" to the log file, which made me think it should rekey only this particular SA, with a particular SPI, matching specific source and destination (TS). Sorry if it's a stupid question - but is it trying to rekey all CHILD_SAs instead when at least one of them is expired?</div><div><br></div><div>We will contact our peer and if they don't support <span style="color:rgb(33,33,33)">multiple traffic selectors</span><span style="color:rgb(33,33,33)"> we will follow your example.</span></div><div><span style="color:rgb(33,33,33)">Thank you for your help.</span></div></div></div><br><div class="gmail_quote"><div dir="ltr">пн, 12 нояб. 2018 г. в 17:46, Tobias Brunner <<a href="mailto:tobias@strongswan.org">tobias@strongswan.org</a>>:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Kseniya,<br>
<br>
> So my question is: is it a default behavior for strongswan to list all<br>
> subnets in Traffic Selector fields even if their CHILD SAs are not<br>
> expired yet? Is it possible to change this behavior to include only<br>
> those subnets, which need rekeying, into proposals?<br>
<br>
You are not rekeying subnets but IPsec/CHILD_SAs. If your peer does not<br>
support multiple traffic selectors per CHILD_SA you need to negotiate a<br>
separate CHILD_SA for each combination of subnets (see [1]).<br>
<br>
Regards,<br>
Tobias<br>
<br>
[1]<br>
<a href="https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#Multiple-subnets-per-SA" rel="noreferrer" target="_blank">https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#Multiple-subnets-per-SA</a><br>
<br>
</blockquote></div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><p dir="ltr">BR, Kseniya</p>
</div>