[strongSwan] rekeying IKEv2 SA

Mike Taylor mtaylor at unicoi.com
Sat Jul 1 00:04:10 CEST 2017


Hi Tobias,

Indeed I was able to get StrongSwan to rekey the IKEv2 SA by adding  

      ike=3des-sha1-modp1024

as in

conn %default
        ikelifetime=12m
        lifetime=1h
        margintime=3m
        keyexchange=ikev2
        authby=secret
        reauth=no
        rekey=yes
        ike=3des-sha1-modp1024 

It is interesting to note that with that change one might think that it would
only include this suite in the proposed transforms in the CREATE_CHILD_SA
request but it offers 3 separate proposals each with a large number of transforms.

In any case, for my purposes it is OK but it seems like a bug given that the original
error was a complaint about an elliptic curve group not being available.  

Regards,

Mike

-----Original Message-----
From: Tobias Brunner [mailto:tobias at strongswan.org] 
Sent: Friday, June 30, 2017 12:07 AM
To: Mike Taylor; users at lists.strongswan.org
Subject: Re: [strongSwan] rekeying IKEv2 SA

Hi Mike,

>       ikelifetime=6m
>       margintime=3m

Not ideal as that, depending on rekeyfuzz and the randomization, could
result in rekeying getting disabled (see the formula on the ExpiryRekey
page).

> If I change reauth=yes to reauth=no

You definitely have to disable reauth to use rekeying, otherwise the
IKE_SA is reauthenticated.

> then it gets worse and periodically
> Charon sends an empty (no payloads) CREATE_CHILD_SA packet which
> the othe IKE naturally rejects as invalid syntax.

Check the logs.

> I tried to follow
> https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey.
> But I find it somewhat confusing about what goes where.

What did you find confusing?

Regards,
Tobias



More information about the Users mailing list