[strongSwan] rekeying IKEv2 SA
mtaylor at unicoi.com
Sat Jul 1 00:04:10 CEST 2017
Indeed I was able to get StrongSwan to rekey the IKEv2 SA by adding
It is interesting to note that with that change one might think that it would
only include this suite in the proposed transforms in the CREATE_CHILD_SA
request but it offers 3 separate proposals each with a large number of transforms.
In any case, for my purposes it is OK but it seems like a bug given that the original
error was a complaint about an elliptic curve group not being available.
From: Tobias Brunner [mailto:tobias at strongswan.org]
Sent: Friday, June 30, 2017 12:07 AM
To: Mike Taylor; users at lists.strongswan.org
Subject: Re: [strongSwan] rekeying IKEv2 SA
Not ideal as that, depending on rekeyfuzz and the randomization, could
result in rekeying getting disabled (see the formula on the ExpiryRekey
> If I change reauth=yes to reauth=no
You definitely have to disable reauth to use rekeying, otherwise the
IKE_SA is reauthenticated.
> then it gets worse and periodically
> Charon sends an empty (no payloads) CREATE_CHILD_SA packet which
> the othe IKE naturally rejects as invalid syntax.
Check the logs.
> I tried to follow
> But I find it somewhat confusing about what goes where.
What did you find confusing?
More information about the Users