[strongSwan] Clarification on rekeying IKE SA

Kumuda kumuda at linux.vnet.ibm.com
Fri Jul 6 13:45:43 CEST 2012


Hi,

I would like to understand how strongswan handles the rekeying IKE SA
when "ikelifetime" expires. Referring to RFC 5996 Section 2.8:

    "To rekey an IKE_SA, establish a new
     equivalent IKE_SA (see section 2.18 below) with the peer to whom the
     old IKE_SA is shared using a CREATE_CHILD_SA within the existing
     IKE_SA."

Initiator has below ipsec.conf setting for IKE and CHILD SA lifetime.

    rekeymargin=5s
    ikelifetime="60s"
    keylife="300s"

We observe that, when ike sa life time expires, initiator triggers 
INFORMATION
exchange with remote node (by sending DELETE payload for current SA). 
But RFC
says CREATE_CHILD_SA request is used to initiate rekeying IKE SA. Can 
some one
clarify why strongswan aborts the current SA instead of negotiating for 
rekey ?

Regards,
Kumuda G





More information about the Users mailing list