[strongSwan] Charon IKEv1 rekeying?

Gerald Richter - ECOS richter at ecos.de
Fri Mar 1 16:15:11 CET 2013


Hi Martin,

> 
> > deleting duplicate IKE_SA for peer 'DC=test, DC=testuml,
> > OU=Zertifikate, CN=ipsec cert' due to uniqueness policy
> 
> > If I add " uniqueids = no" to the ipsec.conf, it works, but this was
> > never necessary in the past.
> 
> This is indeed an issue: ISAKMP reauthentication does not properly migrate
> children from the replaced to the new SA. This is required when having a
> unique policy. I pushed two changes to [1] fixing this issue.
> Let me know if this works for you.
> 
>[1]http://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs/heads/ikev1-rekeying
>


The patch work for us. Phase 1 rekeying with policy=unique now works without problems.

Thanks 

Gerald





More information about the Users mailing list