Thank you Tobias. Honestly, I thought that for IKEv2 multiple traffic selectors are possible anyway. Also, I was confused about the subnets because with ipsec statusall it shows different rekey time values for different policies which include traffic selectors (ip.net1 === ip.net2). Strongswan also prints "creating rekey job for CHILD_SA ESP/0x12345678/" to the log file, which made me think it should rekey only this particular SA, with a particular SPI, matching specific source and destination (TS). Sorry if it's a stupid question - but is it trying to rekey all CHILD_SAs instead when at least one of them is expired?
We will contact our peer and if they don't support multiple traffic selectors we will follow your example. Thank you for your help. пн, 12 нояб. 2018 г. в 17:46, Tobias Brunner <[email protected]>: > Hi Kseniya, > > > So my question is: is it a default behavior for strongswan to list all > > subnets in Traffic Selector fields even if their CHILD SAs are not > > expired yet? Is it possible to change this behavior to include only > > those subnets, which need rekeying, into proposals? > > You are not rekeying subnets but IPsec/CHILD_SAs. If your peer does not > support multiple traffic selectors per CHILD_SA you need to negotiate a > separate CHILD_SA for each combination of subnets (see [1]). > > Regards, > Tobias > > [1] > > https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#Multiple-subnets-per-SA > > -- BR, Kseniya
