Understood, thank you very much for the clarification! On Mon, Nov 12, 2018, 6:48 PM Tobias Brunner <tob...@strongswan.org> wrote:
> > Honestly, I thought that for IKEv2 multiple traffic selectors > > are possible anyway. > > Unfortunately, there are implementations that don't support it. > > > Also, I was confused about the subnets because with > > ipsec statusall it shows different rekey time values for different > > policies which include traffic selectors (ip.net1 === ip.net2). > > So you already have separate CHILD_SAs for these (possibly initiated by > the peer, or narrowed by it). But to make this work properly your > config has to reflects that. > > > Strongswan also prints "creating rekey job for CHILD_SA ESP/0x12345678/" > > to the log file, which made me think it should rekey only this > > particular SA, with a particular SPI, matching specific source and > > destination (TS). > > Single CHILD_SAs are rekeyed, but the complete local CHILD_SA config is > used for the proposal (i.e. multiple TS if that's what you have > configured locally). If a responder that doesn't support multiple TS > doesn't consider the TS of the rekeyed CHILD_SA, but just blindly uses > the first proposed TS, that's problematic (i.e. you must change the > config to reflect that limitation). > > Regards, > Tobias > -- BR, Kseniya