[strongSwan-dev] IKEv2 reauthentication

Chris Winkler cwinkler at marvell.com
Wed May 20 22:47:09 CEST 2020

You can discard this inquiry, I found the make-before-break option and will try that.


From: Chris Winkler
Sent: Wednesday, May 20, 2020 1:46 PM
To: dev at lists.strongswan.org
Subject: IKEv2 reauthentication

I am bringing up a plugin to run IKEv2 using strongswan 5.8.1 and have a question about reauthentication.  When reauthentication is initiated by the existing code outside of the plugin, it sends an INFORMATIONAL message to the peer to delete the existing IKE as the first step.  If this delete is processed completed first, then that would cause traffic to stop until a new IKE and its child are established for authentication.

In RFC 7296, Section 2.8.3 paragraph 3, reauthentication is described with the last sentence stating that deleting of the old IKE SA is the last step.  So my question:

  *   Why is Strongswan deleting the existing IKE SA as the first step in the reauthentication process which will clearly stop traffic temporarily.
     *   Is a lower layer expected to manage the deletions so that traffic does not stop?
     *   If yes, how does the lower layer know the difference between a shutdown from the peer and a reauthentication?  The INFORMATIONAL message for these is exactly the same (Notify with delete).

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20200520/4bf7626e/attachment-0001.html>

More information about the Dev mailing list