[strongSwan] Traffic selector modification ignored when rekeying SA
FRECHIN and Co
regis.frechin22 at orange.fr
Mon Aug 21 15:52:48 CEST 2017
thank you for the feedbacks.
So as of today, the only way to update traffic selector list for a given connexion with strongswan is to wait for the next reauthentication, meaning potential packet drops during the process.
My idea was initially to set a quite low rekeying time (to quickly update TS list) & and a high reauth timer. Now that I can rely only on reauth timer & like to keep this timer quite high (to avoid packet losts), I wonder if I can ponctually (when TS list changes) force reauthentication. Any hint, thru vici perhaps?
thanks a lot,
> Message du 13/07/17 18:05
> De : "Mike Taylor"
> A : "'Tobias Brunner'" , "'Sarefrech'" , users at lists.strongswan.org
> Copie à :
> Objet : RE: [strongSwan] Traffic selector modification ignored when rekeying SA
> Hello, I happened to be working to upgrade an existing IKEv2 to RFC7296 and
> one of the things I noticed in RFC7296 came to mind when seeing this thread.
> From RFC7296 Section 1.7
> In Section 2.8, "Note that, when rekeying, the new Child SA MAY have
> different Traffic Selectors and algorithms than the old one" was
> changed to "Note that, when rekeying, the new Child SA SHOULD NOT
> have different Traffic Selectors and algorithms than the old one".
> So the behavior of changing the traffic selectors during rekey is discouraged
> although not completely forbidden.
> -----Original Message-----
> From: Users [mailto:users-bounces at lists.strongswan.org] On Behalf Of Tobias Brunner
> Sent: Thursday, July 13, 2017 8:58 AM
> To: Sarefrech; users at lists.strongswan.org
> Subject: Re: [strongSwan] Traffic selector modification ignored when rekeying SA
> > Is there a way to force TS modification at rekeying time ?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users