[strongSwan] Renegotiation when SPI missing
Martin Willi
martin at strongswan.org
Tue Nov 26 10:14:14 CET 2013
Hi Steffen,
> # ip xfrm state flush
>
> the connection got down immediately (of course). While I have
> strongswan configured to use DPD I expected it to renegotiate
> automatically, but it didn't.
I think this test is somewhat constructed. Unless the admin explicitly
deletes kernel state, this can't happen. If an SA expires, then the
kernel raises an expire event, for which the daemon creates a fresh SA
pair using rekeying.
If you want to close an SA explicitly, do such changes over the IKE
daemon (using the "ipsec" script). This way the IKE daemon knows about
these changes as well. If you do this for a connection installed with
auto=route, the daemon gets an acquire from the kernel and establishes a
new CHILD_SA.
Regards
Martin
More information about the Users
mailing list