[strongSwan] question on ikev2 rekey

Tobias Brunner tobias at strongswan.org
Mon Nov 12 15:46:46 CET 2018

Hi Kseniya,

> So my question is: is it a default behavior for strongswan to list all
> subnets in Traffic Selector fields even if their CHILD SAs are not
> expired yet? Is it possible to change this behavior to include only
> those subnets, which need rekeying, into proposals?

You are not rekeying subnets but IPsec/CHILD_SAs.  If your peer does not
support multiple traffic selectors per CHILD_SA you need to negotiate a
separate CHILD_SA for each combination of subnets (see [1]).



More information about the Users mailing list