[strongSwan] question on ikev2 rekey

Tobias Brunner tobias at strongswan.org
Mon Nov 12 16:48:57 CET 2018

> Honestly, I thought that for IKEv2 multiple traffic selectors
> are possible anyway.

Unfortunately, there are implementations that don't support it.

> Also, I was confused about the subnets because with
> ipsec statusall it shows different rekey time values for different
> policies which include traffic selectors (ip.net1 === ip.net2).

So you already have separate CHILD_SAs for these (possibly initiated by
the peer, or narrowed by it).  But to make this work properly your
config has to reflects that.

> Strongswan also prints "creating rekey job for CHILD_SA ESP/0x12345678/"
> to the log file, which made me think it should rekey only this
> particular SA, with a particular SPI, matching specific source and
> destination (TS).

Single CHILD_SAs are rekeyed, but the complete local CHILD_SA config is
used for the proposal (i.e. multiple TS if that's what you have
configured locally).  If a responder that doesn't support multiple TS
doesn't consider the TS of the rekeyed CHILD_SA, but just blindly uses
the first proposed TS, that's problematic (i.e. you must change the
config to reflect that limitation).


More information about the Users mailing list