[strongSwan] regarding "reauthenticating IKE_SA due to address change"
Tobias Brunner
tobias at strongswan.org
Thu Jul 28 10:53:03 CEST 2011
Hi Ujjal,
> 1) Is reauth=no has any effect or i am doing some wrong configuration
The reauth option allows to configure whether an IKE_SA is rekeyed or
reauthenticated once it is about to expire (ikelifetime/margintime). It
has no effect on other circumstances where a reauthentication might be
required.
> 3) why the reauthentication is happening for the virtual ip address
> not for the actual ip address configured .
The IKEv2 daemon charon listens for any address or route changes
reported by the kernel. If any occur the MOBIKE/roaming process is
started. Now in your situation two things seem to happen. First,
charon thinks the current path to the other peer is not available
anymore. Charon checks this with a route lookup (similar to 'ip route
get x.x.x.x' where x.x.x.x is the address of the peer) and then compares
the returned source address with the one currently used for the IKE_SA.
If it is equal not much more is done, otherwise charon tries to find a
new path using MOBIKE. Which brings me to the second observation, you
seem to either have disabled MOBIKE (mobike=no) or your peer does not
support it. Due to this charon, as a last resort, tries to
reauthenticate the IKE_SA (i.e. tear it down and set it up anew) in
order to find a new path to the peer.
Please not that before 4.5.0 the mentioned route lookup sometimes did
not return an IP address even if there was a route available.
Regards,
Tobias
More information about the Users
mailing list