[strongSwan] Aggressive Mode. Rekeying fails

Martin Willi martin at strongswan.org
Tue Mar 12 10:09:05 CET 2013

Hi Gerald,

> The IKE Rekeying succeeds, but afterwards it gets
> stuck within a mode_config request. I don't think there should be a
> mode_config request during rekeying or I am wrong?

strongSwan binds an INTERNAL_IPx_ADDRESS to the ISAKMP_SA, so it valid
only during the lifetime of an ISAKMP_SA. This implies that IKE rekeying
(or better, re-authentication) re-negotiates virtual IPs.

It is not fully clear to me what is the correct behavior, but
draft-dukes-ike-mode-cfg-02 says:

> The requested address is valid until the expiry time defined with
> the INTERNAL_ADDRESS EXPIRY attribute or until the ISAKMP SA that
> was used to secure the request expires.


More information about the Users mailing list