Hello,
How strongSwan addresses the following RFC4306 requirement? There is any
strongSwan parameter
to manage the CREATE_CHILD_SA exchange?
[[[...Repeated rekeying using CREATE_CHILD_SA without additional Diffie-
Hellman exchanges
leaves all SAs vulnerable to cryptanalysis of a single key or
Hi Mugur,
Implementers should take note of this fact and set a limit on CREATE_CHILD_SA
exchanges
between exponentiations...
While we always use a Diffie-Hellman exchange for IKE_SA rekeying,
CHILD_SA rekeying by default does not use a DH exchange. You can change
this behavior by including a