[strongSwan] Loss of tunnel service while reauthenticating IKE_SA?
Tom Rymes
trymes at rymes.com
Thu Mar 12 16:37:44 CET 2015
On 03/12/2015 11:32 AM, Martin Willi wrote:
>> Is there a reason that, when using two Strongswan endpoints, one would
>> not choose reauth=no?
>
> Yes. Reauthentication re-evaluates authentication credentials, checks
> the certificate status or rechecks permissions in the AAA backend.
> IKE_SA rekeying, as used with reauth=no, only refreshes key material,
> but does not verify the peer credentials.
I see. But if you were worried about re-evaluating the credentials,
wouldn't you be better served by setting a shorter lifetime for the IKE SA?
>> It seems to me that using reauth=no would result in fewer traffic
>> interruptions, unless I have missed something.
>
> Yes. However, with the upcoming 5.3.0 release, we will introduce support
> for make-before-break re-authentication, which establishes the new
> tunnel with all CHILD_SAs before closing the old one, basically avoiding
> any interruptions.
Ah, interesting. I will look forward to this.
Tom
More information about the Users
mailing list