[strongSwan] Clarification on rekeying IKE SA
kumuda at linux.vnet.ibm.com
Fri Jul 6 13:45:43 CEST 2012
I would like to understand how strongswan handles the rekeying IKE SA
when "ikelifetime" expires. Referring to RFC 5996 Section 2.8:
"To rekey an IKE_SA, establish a new
equivalent IKE_SA (see section 2.18 below) with the peer to whom the
old IKE_SA is shared using a CREATE_CHILD_SA within the existing
Initiator has below ipsec.conf setting for IKE and CHILD SA lifetime.
We observe that, when ike sa life time expires, initiator triggers
exchange with remote node (by sending DELETE payload for current SA).
says CREATE_CHILD_SA request is used to initiate rekeying IKE SA. Can
clarify why strongswan aborts the current SA instead of negotiating for
More information about the Users