[strongSwan] What will Happen if Reauthentication Fail?
Andreas Steffen
andreas.steffen at strongswan.org
Thu Jul 8 13:48:16 CEST 2010
Hi Jessie,
reauthentication with IKEv2 is never overlapping. Always the IKE_SA
together with any dependent CHILD_SAs is taken down first and then
reauthentication starts from scratch. This means that there is always
an interruption of the IPsec tunnel of about 1-2 seconds due to
the reauthentication. If you don't want this, use IKE_SA rekeying
which is overlapping.
Best regards
Andreas
On 08.07.2010 12:03, Jessie Liu wrote:
> Dear all,
> I have one question about reauthenticaion. What will happen if we do
> the re-authentication as the initiator and the re-authentication process
> failed?
> Will strongswan destroy the tunnel first and then do re-authentication
> but it failed, so the tunnel is down afterwards? Or will strongswan keep
> the old SA and start to do re-authentication but it failed, and
> strongswan will roll back to the old SA and the tunnel is not affected?
>
> Thanks in advance!
>
> Best Regards,
> Jessie
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3430 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100708/004271e7/attachment.bin>
More information about the Users
mailing list