[strongSwan] Clarification on rekeying IKE SA
Kumuda
kumuda at linux.vnet.ibm.com
Fri Jul 6 13:45:43 CEST 2012
Hi,
I would like to understand how strongswan handles the rekeying IKE SA
when "ikelifetime" expires. Referring to RFC 5996 Section 2.8:
"To rekey an IKE_SA, establish a new
equivalent IKE_SA (see section 2.18 below) with the peer to whom the
old IKE_SA is shared using a CREATE_CHILD_SA within the existing
IKE_SA."
Initiator has below ipsec.conf setting for IKE and CHILD SA lifetime.
rekeymargin=5s
ikelifetime="60s"
keylife="300s"
We observe that, when ike sa life time expires, initiator triggers
INFORMATION
exchange with remote node (by sending DELETE payload for current SA).
But RFC
says CREATE_CHILD_SA request is used to initiate rekeying IKE SA. Can
some one
clarify why strongswan aborts the current SA instead of negotiating for
rekey ?
Regards,
Kumuda G
More information about the Users
mailing list