Hi Emeric, > It seems there is no more packet loss during the CHILD SA rekeying.
Thanks for the tests. > However, I noticed some drop during the IKE SA reauthentication, depsite the > make_before_break option set to yes. > > Is that the expected behavior? I guess, I didn't change anything regarding reauthentication. It's also not that easy as the new IKE_SA that's built during a reauthentication has no relationship to the existing one (like the two or more IKE_SAs during a rekeying do), so synchronizing the uninstallation/destruction of the associated CHILD_SAs is not really possible. It's similar to when an SA is first established, the responder is able to send ESP packets before the initiator can actually process them. This could only be "resolved" by delaying the installation of the outbound SA on the responder for a while after it responded to the IKE_AUTH (or CREATE_CHILD_SA) message. But even then, the response could get lost or delayed and the responder might still install the SA before the initiator installed its inbound SA. During a reauthentication the same thing occurs, i.e. the responder will install a new outbound SA with the new IKE_SA and use it before the initiator installs the new inbound SA when it receives the IKE_AUTH response. Regards, Tobias _______________________________________________ Dev mailing list Dev@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/dev