Thanks Tobias for your quick response. Am trying the make-before-break approach and so far the results are good. Will run traffic for some more time to confirm the resolution.
Kind rgds, Makarand Pradhan Senior Software Engineer. iS5 Communications Inc. 5895 Ambler Dr, Mississauga, Ontario L4W 5B7 Main Line: +1-844-520-0588 Ext. 129 Direct Line: +1-289-724-2296 Cell: +1-226-501-5666 Fax:+1-289-401-5206 Email: makarandprad...@is5com.com Website: www.iS5Com.com Confidentiality Notice: This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted. -----Original Message----- From: Tobias Brunner <tob...@strongswan.org> Sent: August 18, 2020 11:47 AM To: Makarand Pradhan <makarandprad...@is5com.com>; users@lists.strongswan.org Subject: Re: [strongSwan] Multiple CHILD_SA's after reauth timer expires Hi Makarand, > Any opinions on how to avoid the multiple CHILD_SAs after reauth? Don't use reauth (use rekeying) or use make-before-break reauth, see [1] for details (where this issue with trap policies is also mentioned). Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey#IKE