[strongSwan] Issue regarding rekeying and updation of an IKE SA

Martin Willi martin at strongswan.org
Wed Mar 3 16:31:25 CET 2010

Hi Stephen,

> > Reinitiating the IKE_SA from
> > scratch is also not possible on asymmetric connections.
> Can you elaborate on this point?  What is an asymmetric connection?  And why
> is reinitiating an IKE_SA not possible in this case?

Under asymmetric I meant an IKE_SA that can be initiated by one peer
only, but not the other. This is the case for IKE_SAs with EAP
authentication or if virtual IPs are acquired using configuration
request/response messages: A gateway can not (re-)initiate connections
to clients if they authenticate with EAP, the protocol does not allow

> > As recreating an IKE_SA after an update is not always possible
> When is it not possible?  

If the connection has one of these asymmetric properties, I think EAP
and configuration payloads are the only ones.

> How exactly is it done by hand?  
> I know about the "ipsec up/down <name>" commands, by I thought these apply
> to CHILD_SAs.

No, the "down" command is very flexible:

ipsec down \
  connxy[] - close the first found IKE_SA named connxy
  connxy[*] - close all IKE_SAs named connxy
  connxy[1] - close IKE_SA connxy with number 1 (as in statusall)
  [1] - close IKE_SA connxy with number 1
  connxy{} - close the first found CHILD_SA named connxy
  connxy{*} - close all CHILD_SAs named connxy
  connxy{1} - close CHILD_SA connxy with number 1 (as in statusall)
  {1} - close CHILD_SA connxy with number 1

> Is an IKE_SA brought down by bringing down all of the associated
> connections?



More information about the Users mailing list