On 28/09/2020 10:52, Tobias Brunner wrote: > Hi, > >> up-client is called for each combination of remote ts and local ts >> components, as is down-client, when a CHILD_sa is established/destroyed. >> So when a CHILD_SA is rekeyed, both are called in the order the CHILD_SAs >> are negotiated/destroyed. > The updown script is *not* called for IKE or CHILD_SA rekeyings. > However, if reauthentication is used with IKEv2, the script will be > called as new CHILD_SA are created. A down-event will be called either > before or after the reauthentication and the corresponding up-event > depending on whether make-before-break reauthentication is used by the > client, see [1]. > > By the way, the VICI interface does expose the ike/child-rekey events. > But reauthentication is not handled differently. > > Regards, > Tobias > > [1] https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey
Thanks. Okey, if I may repeat my question - Is that behavior controllable somehow, configured somewhere or it's all on the script? In case config does the trick - here is what I have on server's end: connections { jatymy { version = 2 dpd_delay = 300s fragmentation = "yes" pools = "dhcp" local { certs = "jatymy-vpnserver.cert.der" id = "%any" } remote { } children { jatymy { updown = "/usr/libexec/strongswan/vti-iface server" mark_in = 11 mark_out = 11 local_ts = "10.3.1.0/24" start_action = "start" mode = pass } } } } many thanks, L.
pEpkey.asc
Description: application/pgp-keys