[Swan] reauth option

Paul Wouters paul at nohats.ca
Fri Aug 30 17:44:34 UTC 2019

On Fri, 30 Aug 2019, John Crisp wrote:

>> that option should enable using reauthentication of IKE SAs instead of
>> rekeying them
>> as per RFC7296 Section 2.8.3 (
>> https://tools.ietf.org/html/rfc7296#section-2.8.3.),
>> when libreswan is the initiator of rekeying (that is,
>> reauthentication in this case).
> OK. Not sure how to you would force that, or why Endian/StrongSwan
> fails.
>> And yes, it isn't documented in man pages.
> Interesting...
>> Don't know if that will help you solve your problem.
> Me neither - it answers one question and asks another!

It could help, but at least for now, the reauth= option is a boolean.
That changes the rekey behaviour to reauth. But it still uses the
ikelifetime value (not yet an authlifetime= value). So setting the
ikelifetime= shorter than the required reauth lifetime on the other
end, together with reauth=yes, might resolve your issue. This all
assumes IKEv2.


More information about the Swan mailing list