Hi Ujjal, > 1) Is reauth=no has any effect or i am doing some wrong configuration
The reauth option allows to configure whether an IKE_SA is rekeyed or reauthenticated once it is about to expire (ikelifetime/margintime). It has no effect on other circumstances where a reauthentication might be required. > 3) why the reauthentication is happening for the virtual ip address > not for the actual ip address configured . The IKEv2 daemon charon listens for any address or route changes reported by the kernel. If any occur the MOBIKE/roaming process is started. Now in your situation two things seem to happen. First, charon thinks the current path to the other peer is not available anymore. Charon checks this with a route lookup (similar to 'ip route get x.x.x.x' where x.x.x.x is the address of the peer) and then compares the returned source address with the one currently used for the IKE_SA. If it is equal not much more is done, otherwise charon tries to find a new path using MOBIKE. Which brings me to the second observation, you seem to either have disabled MOBIKE (mobike=no) or your peer does not support it. Due to this charon, as a last resort, tries to reauthenticate the IKE_SA (i.e. tear it down and set it up anew) in order to find a new path to the peer. Please not that before 4.5.0 the mentioned route lookup sometimes did not return an IP address even if there was a route available. Regards, Tobias _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users