Hi, > we are not able to support the same as strongswan first deletes the old > IKE tunnel then creates a new one. As part of old IKE tunnel deletion, > GTP tunnel is also removed, so the purpose of re-authentication is not > met.
Re-authentication has always been problematic: IKEv2 recommends to use make-before-break, establish the new IKE_SA (+CHILD_SA) from scratch before deleting the old one. However, we can't properly support make-before-break because of limitations in the Linux kernel. It does not really support overlapping CHILD_SAs with identical traffic selectors, which is usually the case during re-authentication. Because of these limitations, we have to use break-before-make in strongSwan, resulting in a small downtime of the tunnel. There is currently a discussion at the IETF IPsecME working group about an extension to address such issues [1]. This could solve these problems between compatible implementations. We have no plans yet to implement this extension, though. Regards Martin [1]http://tools.ietf.org/html/draft-nir-ipsecme-cafr-02 _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users