[strongSwan] IKE AUTH renegociation
Eric Boudrand
eric.boudrand at thegreenbow.com
Wed Aug 6 15:19:45 CEST 2014
Hi Martin,
> That should work, but the option actually is named reassign_online. And
> you can't define strongswan.conf options on a single line, but have to
> use sections, such as:
>
> charon {
> mem-pool {
> reassign_online = yes
> }
> }
It works. Thanks.
> But please be aware that make-before-break re-authentication probably
> fails nonetheless: As there is no association between the old and new
> IKE_SA, strongSwan assigns a new reqid for the new CHILD_SA, but the
> kernel can't handle multiple policies having the same selectors.
You are right. But, break-before-make can interrupt the traffic a few
seconds. Does Strongswan uses the IP address specified in the CP payload
sent by the client during IKE AUTH exchange ?
Regards.
Eric Boudrand
More information about the Users
mailing list