[strongSwan] issues with Child SA re-negotiation
Martin Willi
martin at strongswan.org
Tue Nov 18 08:39:36 CET 2014
Hi,
> While re-negotiating child SA, old SAs/Policies are first deleted and
> then the new SA are created. Due to this issue in the transition time
> some of the packets are leaked unencrypted to the network.
I don't think this is true for CHILD_SA rekeying, as we use the
overlapping rekeying procedure as mandated by IKEv2. But please provide
a log if you really thing this is related to CHILD_SA rekeying.
When using reauthentication, however, this is true. strongSwan uses a
break-before-make mechanism in IKE_SA reauthentication. You may disable
IKE_SA reauthentication in favor of rekeying using the reauth ipsec.conf
option to avoid that connectivity gap.
In the make-before-break branch [1] I'm currently implementing an
overlapping reauthentication mechanism for IKEv2; it is planned to be
integrated to the next release.
Regards
Martin
[1]http://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs/heads/make-before-break
More information about the Users
mailing list