Hi Tom, > Is there a reason that, when using two Strongswan endpoints, one would > not choose reauth=no?
Yes. Reauthentication re-evaluates authentication credentials, checks the certificate status or rechecks permissions in the AAA backend. IKE_SA rekeying, as used with reauth=no, only refreshes key material, but does not verify the peer credentials. > It seems to me that using reauth=no would result in fewer traffic > interruptions, unless I have missed something. Yes. However, with the upcoming 5.3.0 release, we will introduce support for make-before-break re-authentication, which establishes the new tunnel with all CHILD_SAs before closing the old one, basically avoiding any interruptions. Regards Martin _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users