On Fri, 30 Aug 2019, John Crisp wrote:
that option should enable using reauthentication of IKE SAs instead of
rekeying them
as per RFC7296 Section 2.8.3 (
https://tools.ietf.org/html/rfc7296#section-2.8.3.),
when libreswan is the initiator of rekeying (that is,
reauthentication in this case).
OK. Not sure how to you would force that, or why Endian/StrongSwan
fails.
And yes, it isn't documented in man pages.
Interesting...
Don't know if that will help you solve your problem.
Me neither - it answers one question and asks another!
It could help, but at least for now, the reauth= option is a boolean.
That changes the rekey behaviour to reauth. But it still uses the
ikelifetime value (not yet an authlifetime= value). So setting the
ikelifetime= shorter than the required reauth lifetime on the other
end, together with reauth=yes, might resolve your issue. This all
assumes IKEv2.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
