[strongSwan] query regarding reautentication in strongswan

Martin Willi martin at strongswan.org
Tue Aug 27 12:41:33 CEST 2013


> we are not able to support the same as strongswan first deletes the old
> IKE tunnel then creates a new one. As part of old IKE tunnel deletion,
> GTP tunnel is also removed, so the purpose of re-authentication is not
> met.

Re-authentication has always been problematic: IKEv2 recommends to use
make-before-break, establish the new IKE_SA (+CHILD_SA) from scratch
before deleting the old one.

However, we can't properly support make-before-break because of
limitations in the Linux kernel. It does not really support overlapping
CHILD_SAs with identical traffic selectors, which is usually the case
during re-authentication. Because of these limitations, we have to use
break-before-make in strongSwan, resulting in a small downtime of the

There is currently a discussion at the IETF IPsecME working group about
an extension to address such issues [1]. This could solve these problems
between compatible implementations. We have no plans yet to implement
this extension, though.



More information about the Users mailing list