[strongSwan] Users Digest, Vol 18, Issue 30

[ujjal sikdar]

Hi

I am doing one test scenario where the ip address are dynamically configured
on the interface  .Due to this what i observe is , reauthentication of ike
is happening  due to address change, though the configured ip is not related
to any configured policy .
Is it possible to disable the reauthentication of the ike due to ip address
change . I have also configured "reauth=no" in all the policy to check
whether it has any effect but seems that it is not taken into effect .

The configuration is as follows :

1)  Policy 1 is configured on eth1 interface (1.1.1.1/24)  with reauth=no
and ikev2
2) Policy 2 is configured on eth1:1 (virtual ip address 1.1.1.2/24) with
reauth =no and ikev2

Now when ipsec is up , tunnel will be established properly (both ike sa and
child sa) .Then i configured another IP address  on eth3 (4.4.4.4/24) using
ifconfig command . The configured ip is visible to the strongswan and due to
this it goes for the "reauthenticating IKE_SA due to address change". Most
strange part is
reauthentication goes only for the virtual ip address configuration(1.1.1.2)
 but not for the Actual ip configured at the interface (eth1, 1.1.1.1).

So want to know  the following information .

1) Is reauth=no has any effect or i am doing some wrong configuration

2) IS reauth =no is applicable to single policy or as whole (if configured
per policy basis or in default)

3) why the reauthentication is happening for the virtual ip address not for
the actual ip address configured .

Thanks in advance

Regards
Ujjal.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110727/5281d927/attachment.html>