[strongSwan] What will Happen if Reauthentication Fail?

Jessie Liu iamnotjessie at yahoo.com.tw
Mon Jul 12 11:41:02 CEST 2010 

Dear all,
        I found a paragraph in RFC 4718 as follows,
   IKEv2 does not have any special support for reauthentication.
   Reauthentication is done by creating a new IKE_SA from scratch (using
   IKE_SA_INIT/IKE_AUTH exchanges, without any REKEY_SA notify
   payloads), creating new CHILD_SAs within the new IKE_SA (without
   REKEY_SA notify payloads), and finally deleting the old IKE_SA (which
   deletes the old CHILD_SAs as well).
 
   Why will strongswan delete the old IKE_SA and Child_SA first when  doing re-authentication? If I delete the old IKE_SA and Child_SA after the re-authentication process, is there anything I should take care, such as migration from old SA to new SA? Or just do re-authentication and delete old SA would work well?  
 
Thanks in advance!!
 
B.R.
Jessie


--- 10/7/8 (四),Andreas Steffen <andreas.steffen at strongswan.org> 寫道:


寄件者: Andreas Steffen <andreas.steffen at strongswan.org>
主旨: Re: [strongSwan] What will Happen if Reauthentication Fail?
收件者: "Jessie Liu" <iamnotjessie at yahoo.com.tw>
副本: users at lists.strongswan.org
日期: 2010年7月8日,四,下午7:48


Hi Jessie,

reauthentication with IKEv2 is never overlapping. Always the IKE_SA
together with any dependent CHILD_SAs is taken down first and then
reauthentication starts from scratch. This means that there is always
an interruption of the IPsec tunnel of about 1-2 seconds due to
the reauthentication. If you don't want this, use IKE_SA rekeying
which is overlapping.

Best regards

Andreas

On 08.07.2010 12:03, Jessie Liu wrote:
> Dear all,
>    I have one question about reauthenticaion. What will happen if we do
> the re-authentication as the initiator and the re-authentication process
> failed?
> Will strongswan destroy the tunnel first and then do re-authentication
> but it failed, so the tunnel is down afterwards? Or will strongswan keep
> the old SA and start to do re-authentication but it failed, and
> strongswan will roll back to the old SA and the tunnel is not affected?
>  
> Thanks in advance!
>  
> Best Regards,
> Jessie

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100712/db8c0659/attachment.html>

More information about the Users mailing list