Hi, > up-client is called for each combination of remote ts and local ts > components, as is down-client, when a CHILD_sa is established/destroyed. > So when a CHILD_SA is rekeyed, both are called in the order the CHILD_SAs are > negotiated/destroyed.
The updown script is *not* called for IKE or CHILD_SA rekeyings. However, if reauthentication is used with IKEv2, the script will be called as new CHILD_SA are created. A down-event will be called either before or after the reauthentication and the corresponding up-event depending on whether make-before-break reauthentication is used by the client, see [1]. By the way, the VICI interface does expose the ike/child-rekey events. But reauthentication is not handled differently. Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey