[strongSwan] question on ikev2 rekey

Kseniya Blashchuk ksyblast at gmail.com
Mon Nov 12 17:39:29 CET 2018


Understood, thank you very much for the clarification!

On Mon, Nov 12, 2018, 6:48 PM Tobias Brunner <tobias at strongswan.org> wrote:

> > Honestly, I thought that for IKEv2 multiple traffic selectors
> > are possible anyway.
>
> Unfortunately, there are implementations that don't support it.
>
> > Also, I was confused about the subnets because with
> > ipsec statusall it shows different rekey time values for different
> > policies which include traffic selectors (ip.net1 === ip.net2).
>
> So you already have separate CHILD_SAs for these (possibly initiated by
> the peer, or narrowed by it).  But to make this work properly your
> config has to reflects that.
>
> > Strongswan also prints "creating rekey job for CHILD_SA ESP/0x12345678/"
> > to the log file, which made me think it should rekey only this
> > particular SA, with a particular SPI, matching specific source and
> > destination (TS).
>
> Single CHILD_SAs are rekeyed, but the complete local CHILD_SA config is
> used for the proposal (i.e. multiple TS if that's what you have
> configured locally).  If a responder that doesn't support multiple TS
> doesn't consider the TS of the rekeyed CHILD_SA, but just blindly uses
> the first proposed TS, that's problematic (i.e. you must change the
> config to reflect that limitation).
>
> Regards,
> Tobias
>
-- 

BR, Kseniya
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20181112/e18d5fcb/attachment.html>


More information about the Users mailing list