[strongSwan] Prevent strongswan Initiator to reauthenticate
Tobias Brunner
tobias at strongswan.org
Mon Mar 19 12:24:52 CET 2018
Hi Alex,
> I am in the need to verify that a Strongswan Responder is initiating a
> IKE SA reauthentication in case the Initiator doesn‘t.
The responder might not be able to initiate a reauthentication (depends
on the config, e.g. whether EAP or virtual IPs are used).
> Therefore, would you see a way to prevent a Strongswan Initiator (I am
> using a Strongswan as the client/initiator too) from reauthenticating
> even if the Responder requested reauthentication (AUTH_LIFETIME in
> IKE_AUTH Responder Response) ?
>
> Setting reauth=no in Initiator doesn’t do the job …
No, as documented [1], clients will schedule a rekeying if an
AUTH_LIFETIME notify is received even if reauthentication is disabled in
the config. There is currently no option to change that. So you'd have
to modify the code to make the client ignore any received AUTH_LIFETIME
notifies.
Regards,
Tobias
[1]
https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey#IKEv2-Responder-Behavior
More information about the Users
mailing list