[strongSwan] query regarding reautentication in strongswan
Martin Willi
martin at strongswan.org
Tue Aug 27 12:41:33 CEST 2013
Hi,
> we are not able to support the same as strongswan first deletes the old
> IKE tunnel then creates a new one. As part of old IKE tunnel deletion,
> GTP tunnel is also removed, so the purpose of re-authentication is not
> met.
Re-authentication has always been problematic: IKEv2 recommends to use
make-before-break, establish the new IKE_SA (+CHILD_SA) from scratch
before deleting the old one.
However, we can't properly support make-before-break because of
limitations in the Linux kernel. It does not really support overlapping
CHILD_SAs with identical traffic selectors, which is usually the case
during re-authentication. Because of these limitations, we have to use
break-before-make in strongSwan, resulting in a small downtime of the
tunnel.
There is currently a discussion at the IETF IPsecME working group about
an extension to address such issues [1]. This could solve these problems
between compatible implementations. We have no plans yet to implement
this extension, though.
Regards
Martin
[1]http://tools.ietf.org/html/draft-nir-ipsecme-cafr-02
More information about the Users
mailing list