[strongSwan] IKE AUTH renegociation
Martin Willi
martin at strongswan.org
Wed Aug 6 09:58:51 CEST 2014
Hi Eric,
> Is it possible de keep an IP address for a client during a IKE AUTH
> renegociation?
Yes. For clients using break-before-make during re-authentication (such
as strongSwan itself), this is no issue at all. The tunnel and the
virtual IP get released, so it automatically should get reassigned to
the same client identity.
As it is rather difficult to distinguish a second, unrelated IKE_SA
request from a re-authentication attempt when a client is using
make-before-break, this is less trivial. There are a few issues to
consider.
> The following line in strongswan.conf was working :
> charon.mem-pool.reassign_on_line = true
That should work, but the option actually is named reassign_online. And
you can't define strongswan.conf options on a single line, but have to
use sections, such as:
charon {
mem-pool {
reassign_online = yes
}
}
But please be aware that make-before-break re-authentication probably
fails nonetheless: As there is no association between the old and new
IKE_SA, strongSwan assigns a new reqid for the new CHILD_SA, but the
kernel can't handle multiple policies having the same selectors.
Regards
Martin
More information about the Users
mailing list