[strongSwan] IKEv2 Rekeying of IKE_SA using CREATE_CHILD_SA message

samiran saha samiran.linux at gmail.com
Thu Apr 23 13:46:27 CEST 2015


I have a Confusion regarding rekeying Procedure of IKE_SA in IKEv2. MY
confusion is when rekeying of IKE_SA is done whether its repective Keys of
CHILD_SAs ie. ESP or AH SAs would be change or not. As per rfc 7296, in
rekeying procedure of IKE_SA new SKEYSEED would be generate and then new
set of
          {SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr} =
                                          prf+ (SKEYSEED, Ni | Nr | SPIi |
SPIr).
i.e. new Sk_d is generated. So, using these new values whether new keymat
would be generated or not by this way,
                        KEYMAT = prf+(SK_d, g^ir (new) | Ni | Nr).

        and would using this new ESP/AH Keys would be generated or enforced
or not since SK_d,g^ir (new) ,Ni,Nr has chnaged..
In simple words, does rekeying of IKE_SA leads to rekeying of all Child SAs
maintaining all other things intact of Child SAs?
Does anyone can say something on this note..I need quick response.. Please
Comment if you know about this..
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150423/a4dec5c1/attachment.html>


More information about the Users mailing list