Hi Kseniya, > So my question is: is it a default behavior for strongswan to list all > subnets in Traffic Selector fields even if their CHILD SAs are not > expired yet? Is it possible to change this behavior to include only > those subnets, which need rekeying, into proposals?
You are not rekeying subnets but IPsec/CHILD_SAs. If your peer does not support multiple traffic selectors per CHILD_SA you need to negotiate a separate CHILD_SA for each combination of subnets (see [1]). Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#Multiple-subnets-per-SA