[strongSwan] Loss of tunnel service while reauthenticating IKE_SA?
Martin Willi
martin at strongswan.org
Thu Mar 12 16:32:19 CET 2015
Hi Tom,
> Is there a reason that, when using two Strongswan endpoints, one would
> not choose reauth=no?
Yes. Reauthentication re-evaluates authentication credentials, checks
the certificate status or rechecks permissions in the AAA backend.
IKE_SA rekeying, as used with reauth=no, only refreshes key material,
but does not verify the peer credentials.
> It seems to me that using reauth=no would result in fewer traffic
> interruptions, unless I have missed something.
Yes. However, with the upcoming 5.3.0 release, we will introduce support
for make-before-break re-authentication, which establishes the new
tunnel with all CHILD_SAs before closing the old one, basically avoiding
any interruptions.
Regards
Martin
More information about the Users
mailing list