[strongSwan] IKE AUTH renegociation

Martin Willi martin at strongswan.org
Wed Aug 6 09:58:51 CEST 2014

Hi Eric,

> Is it possible de keep an IP address for a client during a IKE AUTH
> renegociation?

Yes. For clients using break-before-make during re-authentication (such
as strongSwan itself), this is no issue at all. The tunnel and the
virtual IP get released, so it automatically should get reassigned to
the same client identity.

As it is rather difficult to distinguish a second, unrelated IKE_SA
request from a re-authentication attempt when a client is using
make-before-break, this is less trivial. There are a few issues to

> The following line in strongswan.conf was working :
> charon.mem-pool.reassign_on_line = true

That should work, but the option actually is named reassign_online. And
you can't define strongswan.conf options on a single line, but have to
use sections, such as:

charon {
  mem-pool {
    reassign_online = yes

But please be aware that make-before-break re-authentication probably
fails nonetheless: As there is no association between the old and new
IKE_SA, strongSwan assigns a new reqid for the new CHILD_SA, but the
kernel can't handle multiple policies having the same selectors.


More information about the Users mailing list