[strongSwan] Loss of tunnel service while reauthenticating IKE_SA?
Ken Nelson
ken at cazena.com
Thu Mar 12 19:44:59 CET 2015
The make-before-break re-authentication feature is good news. Very interested in trying it out - it there an expected date for the 5.3.0 release?
> On Mar 12, 2015, at 9:32 AM, Martin Willi <martin at strongswan.org> wrote:
>
> Hi Tom,
>
>> Is there a reason that, when using two Strongswan endpoints, one would
>> not choose reauth=no?
>
> Yes. Reauthentication re-evaluates authentication credentials, checks
> the certificate status or rechecks permissions in the AAA backend.
> IKE_SA rekeying, as used with reauth=no, only refreshes key material,
> but does not verify the peer credentials.
>
>> It seems to me that using reauth=no would result in fewer traffic
>> interruptions, unless I have missed something.
>
> Yes. However, with the upcoming 5.3.0 release, we will introduce support
> for make-before-break re-authentication, which establishes the new
> tunnel with all CHILD_SAs before closing the old one, basically avoiding
> any interruptions.
>
> Regards
> Martin
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
More information about the Users
mailing list