[strongSwan] make before break and default activation

Tobias Brunner tobias at strongswan.org
Tue Jul 18 11:56:02 CEST 2017

Hi Emeric,

> To be more specific:
> - what happens exactly if it is enabled only on one side?

It only has an effect on the peer that initiates the reauthentication.
Enabling it on a host that's always responder has no effect at all.

> - what happens with other IKEv2 implementations?

That's the big question and the reason it is disabled by default (well,
actually that old strongSwan version don't support it).  It only works
if the responder can handle this properly so you have to experiment.
strongSwan only does so since 5.3.0 (e.g. in regards to duplicate
policies/reqids, virtual IP handling etc.).  But only recently (#2373)
an issue in the farp plugin was found that also affects responders of
make-before-break reauthentications.


More information about the Users mailing list