[strongSwan] question on ikev2 rekey
Tobias Brunner
tobias at strongswan.org
Mon Nov 12 16:48:57 CET 2018
> Honestly, I thought that for IKEv2 multiple traffic selectors
> are possible anyway.
Unfortunately, there are implementations that don't support it.
> Also, I was confused about the subnets because with
> ipsec statusall it shows different rekey time values for different
> policies which include traffic selectors (ip.net1 === ip.net2).
So you already have separate CHILD_SAs for these (possibly initiated by
the peer, or narrowed by it). But to make this work properly your
config has to reflects that.
> Strongswan also prints "creating rekey job for CHILD_SA ESP/0x12345678/"
> to the log file, which made me think it should rekey only this
> particular SA, with a particular SPI, matching specific source and
> destination (TS).
Single CHILD_SAs are rekeyed, but the complete local CHILD_SA config is
used for the proposal (i.e. multiple TS if that's what you have
configured locally). If a responder that doesn't support multiple TS
doesn't consider the TS of the rekeyed CHILD_SA, but just blindly uses
the first proposed TS, that's problematic (i.e. you must change the
config to reflect that limitation).
Regards,
Tobias
More information about the Users
mailing list