[strongSwan] Traffic selector modification ignored when rekeying SA
FRECHIN and Co
regis.frechin22 at orange.fr
Mon Aug 21 15:52:48 CEST 2017
Hi,
thank you for the feedbacks.
So as of today, the only way to update traffic selector list for a given connexion with strongswan is to wait for the next reauthentication, meaning potential packet drops during the process.
My idea was initially to set a quite low rekeying time (to quickly update TS list) & and a high reauth timer. Now that I can rely only on reauth timer & like to keep this timer quite high (to avoid packet losts), I wonder if I can ponctually (when TS list changes) force reauthentication. Any hint, thru vici perhaps?
thanks a lot,
Régis
> Message du 13/07/17 18:05
> De : "Mike Taylor"
> A : "'Tobias Brunner'" , "'Sarefrech'" , users at lists.strongswan.org
> Copie à :
> Objet : RE: [strongSwan] Traffic selector modification ignored when rekeying SA
>
> Hello, I happened to be working to upgrade an existing IKEv2 to RFC7296 and
> one of the things I noticed in RFC7296 came to mind when seeing this thread.
>
> From RFC7296 Section 1.7
>
> In Section 2.8, "Note that, when rekeying, the new Child SA MAY have
> different Traffic Selectors and algorithms than the old one" was
> changed to "Note that, when rekeying, the new Child SA SHOULD NOT
> have different Traffic Selectors and algorithms than the old one".
>
> So the behavior of changing the traffic selectors during rekey is discouraged
> although not completely forbidden.
>
> Regards,
>
> Mike
>
> -----Original Message-----
> From: Users [mailto:users-bounces at lists.strongswan.org] On Behalf Of Tobias Brunner
> Sent: Thursday, July 13, 2017 8:58 AM
> To: Sarefrech; users at lists.strongswan.org
> Subject: Re: [strongSwan] Traffic selector modification ignored when rekeying SA
>
> Hi,
>
> > Is there a way to force TS modification at rekeying time ?
>
> No.
>
> Regards,
> Tobias
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170821/71f36638/attachment.html>
More information about the Users
mailing list