[strongSwan] Will there be a Interoperability issue with Cisco Routers/Peers if we use "reauth=no" for ikev2 conns in strongswan peer

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Mon Dec 4 21:11:52 CET 2017


will the use of "reauth=no" in strongswan create any interoperability
problems with Cisco IKEv2 IPsec Peers?


On Mon, Dec 4, 2017 at 10:48 AM, Rajiv Kulkarni <rajivkulkarni69 at gmail.com>
wrote:

> Hi
>
> Although mentioned in the wiki that IKEv1 always does reauthentication
> when rekeying IKEv1-SAs...
>
> I still was getting some doubts...Can you please confirm that if i use the
> below config for ipsec (using Strongswan 5.5.x)...the use of "reauth=no" in
> the "conn default" will apply to all IKEv2 connections AND ONLY to IKEv2
> connections
>
> Can you clarify that this option will NOT have any effect on IKEv1
> connections
>
> ======================
> conn %default
> ikelifetime=3h
> keylife=1h
> mobike=no
> dpddelay=30s
>         dpdtimeout=90s
>         dpdaction=clear
> fragmentation=yes
> leftsendcert=always
> reauth=no
>
> conn tun1_V1
>         left=172.31.32.201
>         right=192.168.0.100
>         ...
>         ...
>         type=tunnel
>         keyexchange=ikev1
> auto=route
>
> conn tun2_V2
>         left=172.31.32.201
>         right=172.28.28.102
>         ...
>         ...
>         type=tunnel
>         keyexchange=ikev2
> auto=route
>
> conn tun3_V2
>         left=172.31.32.201
>         right=172.29.1.2
>         ...
>         ...
>         type=tunnel
>         keyexchange=ikev2
> auto=route
>
>
> ======================
>
>
> thanks & regards
> Rajiv
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171205/96b28530/attachment.html>


More information about the Users mailing list