[strongSwan] Loss of tunnel service while reauthenticating IKE_SA?
Tom Rymes
trymes at rymes.com
Thu Mar 12 16:22:50 CET 2015
On 03/12/2015 11:16 AM, Noel Kuntze wrote:
> Hello Ken,
>
> It is dependent on the IKE version.
> Quote from the man page:
>
> reauth = yes | no
> whether rekeying of an IKE_SA should also reauthenticate the
> peer. In IKEv1, reauthentication is always done. In IKEv2, a
> value of no rekeys without uninstalling the IPsec SAs, a value
> of yes (the default) creates a new IKE_SA from scratch and tries
> to recreate all IPsec SAs.
>
> Obviously, setting reauth=no will keep the tunnel up during rekeying of the IKE SAs.
> You have to use "reauth=no" on both sides to make it work.
Noel,
Is there a reason that, when using two Strongswan endpoints, one would
not choose reauth=no? It seems to me that using reauth=no would result
in fewer traffic interruptions, unless I have missed something.
Tom
More information about the Users
mailing list