[strongSwan] make_before_break and rekeying

Tobias Brunner tobias at strongswan.org
Fri Nov 6 08:33:46 CET 2020


Hi Volodymyr,

> - what is wrong with make_before_break, why it (according to logs)
> closes and then creates new SA?

That option only affects IKE_SA reauthentication.  CHILD_SA rekeying is
different and should always happen overlapping.  However, with your
settings, the SA expires pretty much immediately (you can't set lifetime
so low without changing the margin too), so it gets deleted (it's
already gone in the kernel once it expired) and recreated.  See [1] for
details on rekey settings.

> - what does it mean "no acceptable ENCRYPTION_ALGORITHM found" on
> responder side during SA renegotiation?

You have two ESP proposals configured on the responder, one with AEAD
algorithms (AES-GCM) and one with classic algorithms (AES-CBC + HMAC).
The first one doesn't match the client's proposal, as it only proposes
AES-CBC.

Regards,
Tobias

[1] https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey


More information about the Users mailing list