[strongSwan-dev] IKEv1 rekey issue

Manju Prabhu manjunath.mp at gmail.com
Fri Dec 14 19:10:07 CET 2018


Hi Tobias,
In my case, the IKE SA rekey time was 300s and IPsec SA rekey time was
3600s.

However, once I hit the scenario, the system remains in that state:
* IKEv1 rekey happens every 300s, new IKE SAs are created and no IPsec SAs
are created. Should the system not recover on next IKEv1 rekey?
* IPsec rekey timer is probably not of any use since IPsec SAs are not
present.

Thanks,
Manju

On Wed, Dec 12, 2018 at 12:57 AM Tobias Brunner <tobias at strongswan.org>
wrote:

> Hi Manju,
>
> > However, are there known issues with IKEv1 with short rekey timers and
> > how does IKEv2 overcome this problem?
>
> IKEv1 has no exchange collision handling, so if both ends rekey
> concurrently, all bets are off, IKEv2 has (except for reauthentication,
> so use regular rekeying to avoid problems).
>
> Regards,
> Tobias
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20181214/98638421/attachment.html>


More information about the Dev mailing list