[Swan] reauth option
Paul Wouters
paul at nohats.ca
Fri Aug 30 17:44:34 UTC 2019
On Fri, 30 Aug 2019, John Crisp wrote:
>> that option should enable using reauthentication of IKE SAs instead of
>> rekeying them
>> as per RFC7296 Section 2.8.3 (
>> https://tools.ietf.org/html/rfc7296#section-2.8.3.),
>> when libreswan is the initiator of rekeying (that is,
>> reauthentication in this case).
>
> OK. Not sure how to you would force that, or why Endian/StrongSwan
> fails.
>
>> And yes, it isn't documented in man pages.
>>
>
> Interesting...
>
>> Don't know if that will help you solve your problem.
>
> Me neither - it answers one question and asks another!
It could help, but at least for now, the reauth= option is a boolean.
That changes the rekey behaviour to reauth. But it still uses the
ikelifetime value (not yet an authlifetime= value). So setting the
ikelifetime= shorter than the required reauth lifetime on the other
end, together with reauth=yes, might resolve your issue. This all
assumes IKEv2.
Paul
More information about the Swan
mailing list