[strongSwan] IKE AUTH renegociation

Eric Boudrand eric.boudrand at thegreenbow.com
Wed Aug 6 15:19:45 CEST 2014

Hi Martin,

> That should work, but the option actually is named reassign_online. And
> you can't define strongswan.conf options on a single line, but have to
> use sections, such as:
> charon {
>    mem-pool {
>      reassign_online = yes
>    }
> }

It works. Thanks.

> But please be aware that make-before-break re-authentication probably
> fails nonetheless: As there is no association between the old and new
> IKE_SA, strongSwan assigns a new reqid for the new CHILD_SA, but the
> kernel can't handle multiple policies having the same selectors.

You are right. But, break-before-make can interrupt the traffic a few 
seconds. Does Strongswan uses the IP address specified in the CP payload 
sent by the client during IKE AUTH exchange ?


Eric Boudrand

More information about the Users mailing list