[strongSwan] regarding "reauthenticating IKE_SA due to address change"

Tobias Brunner tobias at strongswan.org
Thu Jul 28 10:53:03 CEST 2011

Hi Ujjal,

>  1) Is reauth=no has any effect or i am doing some wrong configuration

The reauth option allows to configure whether an IKE_SA is rekeyed or 
reauthenticated once it is about to expire (ikelifetime/margintime).  It 
has no effect on other circumstances where a reauthentication might be 

>  3) why the reauthentication is happening for the virtual ip address
>  not for the actual ip address configured .

The IKEv2 daemon charon listens for any address or route changes 
reported by the kernel.  If any occur the MOBIKE/roaming process is 
started.  Now in your situation two things seem to happen.  First, 
charon thinks the current path to the other peer is not available 
anymore.  Charon checks this with a route lookup (similar to 'ip route 
get x.x.x.x' where x.x.x.x is the address of the peer) and then compares 
the returned source address with the one currently used for the IKE_SA. 
  If it is equal not much more is done, otherwise charon tries to find a 
new path using MOBIKE.  Which brings me to the second observation, you 
seem to either have disabled MOBIKE (mobike=no) or your peer does not 
support it.  Due to this charon, as a last resort, tries to 
reauthenticate the IKE_SA (i.e. tear it down and set it up anew) in 
order to find a new path to the peer.

Please not that before 4.5.0 the mentioned route lookup sometimes did 
not return an IP address even if there was a route available.


More information about the Users mailing list