[strongSwan] question on ikev2 rekey

[Tobias Brunner]

Hi Kseniya,

> So my question is: is it a default behavior for strongswan to list all
> subnets in Traffic Selector fields even if their CHILD SAs are not
> expired yet? Is it possible to change this behavior to include only
> those subnets, which need rekeying, into proposals?

You are not rekeying subnets but IPsec/CHILD_SAs.  If your peer does not
support multiple traffic selectors per CHILD_SA you need to negotiate a
separate CHILD_SA for each combination of subnets (see [1]).

Regards,
Tobias

[1]
https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#Multiple-subnets-per-SA