[strongSwan] Issue regarding rekeying and updation of an IKE SA
Stephen Pisano
pisano at alcatel-lucent.com
Wed Mar 3 15:53:07 CET 2010
Hi Martin,
I have some additional questions on this topic:
> Reinitiating the IKE_SA from
> scratch is also not possible on asymmetric connections.
Can you elaborate on this point? What is an asymmetric connection? And why
is reinitiating an IKE_SA not possible in this case?
> As recreating an IKE_SA after an update is not always possible
> (and not always wanted), you'll have to do this by hand.
When is it not possible?
How exactly is it done by hand?
I know about the "ipsec up/down <name>" commands, by I thought these apply
to CHILD_SAs.
Is an IKE_SA brought down by bringing down all of the associated
connections?
Regards,
Stephen
Hi,
> when I do "ipsec update" the ike established should apply the new
> parameters at the time of rekeying
No, we currently do no relookup of an IKE_SA configuration. The existing
IKE_SA has still a refcount to the old configuration and it is used
until the SA gets closed.
Rekeying is not always sufficient to apply a changed configuration, e.g.
if the authentication methods change. Reinitiating the IKE_SA from
scratch is also not possible on asymmetric connections.
> how do I apply any change in a parameter of ipsec.conf to IKE SA
> without bringing the IKE SA down?
This is not possible, you'll have to reinitiate an IKE_SA to apply its
config. Not all parameters of a IKE configuration are updated by
rekeying. As recreating an IKE_SA after an update is not always possible
(and not always wanted), you'll have to do this by hand.
Regards
Martin
More information about the Users
mailing list