Hi Gerald, > The IKE Rekeying succeeds, but afterwards it gets > stuck within a mode_config request. I don't think there should be a > mode_config request during rekeying or I am wrong?
strongSwan binds an INTERNAL_IPx_ADDRESS to the ISAKMP_SA, so it valid only during the lifetime of an ISAKMP_SA. This implies that IKE rekeying (or better, re-authentication) re-negotiates virtual IPs. It is not fully clear to me what is the correct behavior, but draft-dukes-ike-mode-cfg-02 says: > The requested address is valid until the expiry time defined with > the INTERNAL_ADDRESS EXPIRY attribute or until the ISAKMP SA that > was used to secure the request expires. Regards Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
