[strongSwan] Broken CHILD_SA following IKE_SA re-auth with FortiGate remote

Tobias Brunner tobias at strongswan.org
Tue Aug 30 10:40:54 CEST 2016

Hi Tore,

> I was under the impression that enabling "charon.make_before_break"
> would only alter how strongSwan behaves when it is the party initiating
> the re-authentication procedure.


> In the initiator case, I wouldn't have
> thought there was any need for such heuristics and assumptions, as
> strongSwan should have full knowledge of which old SAs are indeed
> duplicates and therefore should be deleted after the new SAs are
> installed.


> You appear to be talking about the responder role, however. What I'm
> not clear about is how exactly does enabling "charon.make_before_break"
> affect strongSwan's behaviour during a re-authentication procedure when
> in the responder role?

Not at all.

> I find it rather nonintuitive that enabling "charon.make_before_break"
> would cause any change at all to strongSwan's responder role behaviour,
> to be honest.

It doesn't.

> Specifically, I don't really understand how the use of the
> "charon.make_before_break" method in strongSwan could possibly prevent
> the remote IKE peer from initiating and performing a "break before
> make" style re-authentication (or vice versa).

It can't.


More information about the Users mailing list