[strongSwan] Issue regarding rekeying and updation of an IKE SA
Martin Willi
martin at strongswan.org
Wed Mar 3 16:31:25 CET 2010
Hi Stephen,
> > Reinitiating the IKE_SA from
> > scratch is also not possible on asymmetric connections.
>
> Can you elaborate on this point? What is an asymmetric connection? And why
> is reinitiating an IKE_SA not possible in this case?
Under asymmetric I meant an IKE_SA that can be initiated by one peer
only, but not the other. This is the case for IKE_SAs with EAP
authentication or if virtual IPs are acquired using configuration
request/response messages: A gateway can not (re-)initiate connections
to clients if they authenticate with EAP, the protocol does not allow
this.
> > As recreating an IKE_SA after an update is not always possible
>
> When is it not possible?
If the connection has one of these asymmetric properties, I think EAP
and configuration payloads are the only ones.
> How exactly is it done by hand?
>
> I know about the "ipsec up/down <name>" commands, by I thought these apply
> to CHILD_SAs.
No, the "down" command is very flexible:
ipsec down \
connxy[] - close the first found IKE_SA named connxy
connxy[*] - close all IKE_SAs named connxy
connxy[1] - close IKE_SA connxy with number 1 (as in statusall)
[1] - close IKE_SA connxy with number 1
connxy{} - close the first found CHILD_SA named connxy
connxy{*} - close all CHILD_SAs named connxy
connxy{1} - close CHILD_SA connxy with number 1 (as in statusall)
{1} - close CHILD_SA connxy with number 1
> Is an IKE_SA brought down by bringing down all of the associated
> connections?
No.
Regards
Martin
More information about the Users
mailing list