[strongSwan] issues with Child SA re-negotiation

Nikhil.Agarwal at freescale.com Nikhil.Agarwal at freescale.com
Tue Nov 18 10:09:23 CET 2014

Hi Martin,

Thanks for your quick response. I will check the logs for exact issue.

Does IKEv1 re-authentication support make-before-break mechanism?


> -----Original Message-----
> From: Martin Willi [mailto:martin at strongswan.org]
> Sent: Tuesday, November 18, 2014 1:10 PM
> To: Agarwal Nikhil-B38457
> Cc: users at lists.strongswan.org
> Subject: Re: [strongSwan] issues with Child SA re-negotiation
> Hi,
> > While re-negotiating child SA, old SAs/Policies are first deleted and
> > then the new SA are created. Due to this issue in the transition time
> > some of the packets are leaked unencrypted to the network.
> I don't think this is true for CHILD_SA rekeying, as we use the
> overlapping rekeying procedure as mandated by IKEv2. But please provide a
> log if you really thing this is related to CHILD_SA rekeying.
> When using reauthentication, however, this is true. strongSwan uses a
> break-before-make mechanism in IKE_SA reauthentication. You may disable
> IKE_SA reauthentication in favor of rekeying using the reauth ipsec.conf
> option to avoid that connectivity gap.
> In the make-before-break branch [1] I'm currently implementing an
> overlapping reauthentication mechanism for IKEv2; it is planned to be
> integrated to the next release.
> Regards
> Martin
> [1]http://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs/heads/ma
> ke-before-break

More information about the Users mailing list