[strongSwan] Loss of tunnel service while reauthenticating IKE_SA?

Martin Willi martin at strongswan.org
Thu Mar 12 16:32:19 CET 2015


Hi Tom,

> Is there a reason that, when using two Strongswan endpoints, one would 
> not choose reauth=no?

Yes. Reauthentication re-evaluates authentication credentials, checks
the certificate status or rechecks permissions in the AAA backend.
IKE_SA rekeying, as used with reauth=no, only refreshes key material,
but does not verify the peer credentials.

> It seems to me that using reauth=no would result in fewer traffic
> interruptions, unless I have missed something.

Yes. However, with the upcoming 5.3.0 release, we will introduce support
for make-before-break re-authentication, which establishes the new
tunnel with all CHILD_SAs before closing the old one, basically avoiding
any interruptions.

Regards
Martin



More information about the Users mailing list