[strongSwan] Multiple CHILD_SA's after reauth timer expires
Makarand Pradhan
MakarandPradhan at is5com.com
Tue Aug 18 18:13:27 CEST 2020
Thanks Tobias for your quick response.
Am trying the make-before-break approach and so far the results are good. Will run traffic for some more time to confirm the resolution.
Kind rgds,
Makarand Pradhan
Senior Software Engineer.
iS5 Communications Inc.
5895 Ambler Dr,
Mississauga, Ontario
L4W 5B7
Main Line: +1-844-520-0588 Ext. 129
Direct Line: +1-289-724-2296
Cell: +1-226-501-5666
Fax:+1-289-401-5206
Email: makarandpradhan at is5com.com
Website: www.iS5Com.com
Confidentiality Notice:
This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted.
-----Original Message-----
From: Tobias Brunner <tobias at strongswan.org>
Sent: August 18, 2020 11:47 AM
To: Makarand Pradhan <MakarandPradhan at is5com.com>; users at lists.strongswan.org
Subject: Re: [strongSwan] Multiple CHILD_SA's after reauth timer expires
Hi Makarand,
> Any opinions on how to avoid the multiple CHILD_SAs after reauth?
Don't use reauth (use rekeying) or use make-before-break reauth, see [1] for details (where this issue with trap policies is also mentioned).
Regards,
Tobias
[1] https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey#IKE
More information about the Users
mailing list