[strongSwan] Aggressive Mode. Rekeying fails
Martin Willi
martin at strongswan.org
Tue Mar 12 10:09:05 CET 2013
Hi Gerald,
> The IKE Rekeying succeeds, but afterwards it gets
> stuck within a mode_config request. I don't think there should be a
> mode_config request during rekeying or I am wrong?
strongSwan binds an INTERNAL_IPx_ADDRESS to the ISAKMP_SA, so it valid
only during the lifetime of an ISAKMP_SA. This implies that IKE rekeying
(or better, re-authentication) re-negotiates virtual IPs.
It is not fully clear to me what is the correct behavior, but
draft-dukes-ike-mode-cfg-02 says:
> The requested address is valid until the expiry time defined with
> the INTERNAL_ADDRESS EXPIRY attribute or until the ISAKMP SA that
> was used to secure the request expires.
Regards
Martin
More information about the Users
mailing list