[strongSwan] Clarification on rekeying IKE SA

Martin Willi martin at strongswan.org
Fri Jul 6 15:37:11 CEST 2012

Hi Kumuda,

> We observe that, when ike sa life time expires, initiator triggers
> INFORMATION exchange with remote node (by sending DELETE payload for
> current SA). But RFC says CREATE_CHILD_SA request is used to initiate
> rekeying IKE SA.

By default, strongSwan does a complete IKE_SA re-authentication if the
lifetime expires. You can change this behavior to use IKE_SA rekeying
instead by setting reauth=no in your connection.


More information about the Users mailing list