On 28/09/2020 10:52, Tobias Brunner wrote: > Hi, > >> up-client is called for each combination of remote ts and local ts >> components, as is down-client, when a CHILD_sa is established/destroyed. >> So when a CHILD_SA is rekeyed, both are called in the order the CHILD_SAs >> are negotiated/destroyed. > The updown script is *not* called for IKE or CHILD_SA rekeyings. > However, if reauthentication is used with IKEv2, the script will be > called as new CHILD_SA are created. A down-event will be called either > before or after the reauthentication and the corresponding up-event > depending on whether make-before-break reauthentication is used by the > client, see [1]. > > By the way, the VICI interface does expose the ike/child-rekey events. > But reauthentication is not handled differently. > > Regards, > Tobias > > [1] https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey
Thanks. Okey, if I may repeat my question - Is that behavior
controllable somehow, configured somewhere or it's all on
the script?
In case config does the trick - here is what I have on
server's end:
connections {
jatymy {
version = 2
dpd_delay = 300s
fragmentation = "yes"
pools = "dhcp"
local {
certs = "jatymy-vpnserver.cert.der"
id = "%any"
}
remote {
}
children {
jatymy {
updown = "/usr/libexec/strongswan/vti-iface server"
mark_in = 11
mark_out = 11
local_ts = "10.3.1.0/24"
start_action = "start"
mode = pass
}
}
}
}
many thanks, L.
pEpkey.asc
Description: application/pgp-keys
