[strongSwan] question on ikev2 rekey

Kseniya Blashchuk ksyblast at gmail.com
Mon Nov 12 16:22:27 CET 2018

Thank you Tobias.

Honestly, I thought that for IKEv2 multiple traffic selectors are possible
anyway. Also, I was confused about the subnets because with ipsec statusall
it shows different rekey time values for different policies which include
traffic selectors (ip.net1 === ip.net2). Strongswan also prints "creating
rekey job for CHILD_SA ESP/0x12345678/" to the log file, which made me
think it should rekey only this particular SA, with a particular SPI,
matching specific source and destination (TS). Sorry if it's a stupid
question - but is it trying to rekey all CHILD_SAs instead when at least
one of them is expired?

We will contact our peer and if they don't support multiple traffic
selectors we will follow your example.
Thank you for your help.

пн, 12 нояб. 2018 г. в 17:46, Tobias Brunner <tobias at strongswan.org>:

> Hi Kseniya,
> > So my question is: is it a default behavior for strongswan to list all
> > subnets in Traffic Selector fields even if their CHILD SAs are not
> > expired yet? Is it possible to change this behavior to include only
> > those subnets, which need rekeying, into proposals?
> You are not rekeying subnets but IPsec/CHILD_SAs.  If your peer does not
> support multiple traffic selectors per CHILD_SA you need to negotiate a
> separate CHILD_SA for each combination of subnets (see [1]).
> Regards,
> Tobias
> [1]
> https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#Multiple-subnets-per-SA
> --

BR, Kseniya
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20181112/93f693b7/attachment.html>

More information about the Users mailing list