Hello, What you're seeing is expected. Already existing IKE SAs and CHILD SAs use the settings that they were established with.
Kind regards Noel On 22.03.2018 16:09, Rich Lafferty wrote: > Hi all, > > Some background: In migrating our fleet from Racoon to Strongswan I > discovered an interop bug where, with fragmentation enabled, Racoon sends > fragmented IKEv1 packets which strongSwan is unable to decrypt. I discovered > that the issue goes away if IKE fragmentation is disabled, and since we’re > using PSK I’m confident that our IKE packets will be small enough to safely > disable it, so I added `fragmentation = no` to all of our (swanctl-based) IKE > connections on the StrongSwan side. > > On to my actual question… > > I discovered that while _new_ IKE SAs correctly do not advertise > fragmentation, _renewals_ of already-established IKE SAs continue to use the > same settings that they were established with (i.e. fragmentation is > advertised and enabled). > > What I expected is that after a `swanctl --load-all`, the next IKE SA > negotiation would use the new settings, so that the change could be rolled > out gradually and invisibly as IKE SAs expire. > > Could someone more familiar with this verify that this is expected behaviour? > Is there any way to tell strongSwan to use new configuration the next time an > IKE SA is due for renewal, rather than interrupting the existing SA? (Later, > I hope to migrate to a better encryption suite and was hoping to roll it out > the same way without hard restarts of SAs.) > > Thanks, > -Rich
signature.asc
Description: OpenPGP digital signature