[strongSwan] server initiated ipsec rekey

Martin Willi martin at strongswan.org
Fri Sep 27 08:20:37 CEST 2013


> About 15 minutes after init and auth successes, StrongSwan sends
> create_child_sa to rekey the child sa. But the message id is reset to 0
> and neither initiator nor response flag is set. I don't think it is
> right according to standard.

This depends who is initiating the rekeying. If it is initiated by to
original responder (i.e. not the peer that initiated the tunnel), a
message ID of 0 might be correct, and also the initiator/response flag
would be to expect. IKEv2 uses distinct message ID counters for inbound
and outbound exchanges, both starting at 0.


More information about the Users mailing list