[Swan] reauth option
paul at nohats.ca
Fri Aug 30 17:44:34 UTC 2019
On Fri, 30 Aug 2019, John Crisp wrote:
>> that option should enable using reauthentication of IKE SAs instead of
>> rekeying them
>> as per RFC7296 Section 2.8.3 (
>> when libreswan is the initiator of rekeying (that is,
>> reauthentication in this case).
> OK. Not sure how to you would force that, or why Endian/StrongSwan
>> And yes, it isn't documented in man pages.
>> Don't know if that will help you solve your problem.
> Me neither - it answers one question and asks another!
It could help, but at least for now, the reauth= option is a boolean.
That changes the rekey behaviour to reauth. But it still uses the
ikelifetime value (not yet an authlifetime= value). So setting the
ikelifetime= shorter than the required reauth lifetime on the other
end, together with reauth=yes, might resolve your issue. This all
More information about the Swan