[strongSwan-dev] IKEv1 rekey issue

Manju Prabhu manjunath.mp at gmail.com
Fri Dec 14 19:10:07 CET 2018

Hi Tobias,
In my case, the IKE SA rekey time was 300s and IPsec SA rekey time was

However, once I hit the scenario, the system remains in that state:
* IKEv1 rekey happens every 300s, new IKE SAs are created and no IPsec SAs
are created. Should the system not recover on next IKEv1 rekey?
* IPsec rekey timer is probably not of any use since IPsec SAs are not


On Wed, Dec 12, 2018 at 12:57 AM Tobias Brunner <tobias at strongswan.org>

> Hi Manju,
> > However, are there known issues with IKEv1 with short rekey timers and
> > how does IKEv2 overcome this problem?
> IKEv1 has no exchange collision handling, so if both ends rekey
> concurrently, all bets are off, IKEv2 has (except for reauthentication,
> so use regular rekeying to avoid problems).
> Regards,
> Tobias
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20181214/98638421/attachment.html>

More information about the Dev mailing list