Hi,
Thanks for your reply.
With your help now I am able to create IKE SA and CHILD SA but there
is a problem with updation & rekeying of IKE SA:-
1. I am trying to change a/all parameter (for e.g:- rekeytime,
encryption algo, integrity algo, DH group parameter) in ipsec.conf so
that when I do "ipsec update" the ike established should apply the new
parameters at the time of rekeying but what i am seeing that this is
not happening? the IKE SA is still using the old config parameters
even after rekeying.
2. Also, IKE SA is not getting rekeyed only its CHILD SA is getting
rekeyed.the status for IKE SA says that rekey is disabled for it? So,
how do I enable rekey of the IKE SA and also how do I apply any change
in a parameter of ipsec.conf to IKE SA without bringing the IKE SA
down?
Here's my ipsec.conf files for the two peers:
Peer_1:-
# ipsec.conf - strongSwan IPsec configuration file
config setup
plutostart=no
strictcrlpolicy=no
conn %default
ikelifetime=3m
keyexchange=ikev2
keyingtries=1
keylife=2m
reauth=no
mobike=no
rekeymargin=2m
ike=aes128-sha1-modp2048!
esp=aes256-sha1-modp2048!
conn carol
authby=psk
left=10.118.209.204
right=10.3.5.218
leftid=10.0.3.1
rightid=10.0.3.3
auto=add
Peer_2:-
# ipsec.conf - strongSwan IPsec configuration file
config setup
plutostart=no
strictcrlpolicy=no
conn %default
ikelifetime=3m
keyexchange=ikev2
keyingtries=1
keylife=3m
reauth=no
mobike=no
rekeymargin=2m
ike=aes128-sha1-modp2048!
esp=aes128-sha1-modp2048!
conn carol
authby=psk
left=10.3.5.218
right=10.118.209.204
rightid=10.0.3.1
leftid=10.0.3.3
auto=add
Please help me.
Thanks for your help in advance.
Regards,
Vivek
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
