Hi Volodymyr, > - what is wrong with make_before_break, why it (according to logs) > closes and then creates new SA?
That option only affects IKE_SA reauthentication. CHILD_SA rekeying is different and should always happen overlapping. However, with your settings, the SA expires pretty much immediately (you can't set lifetime so low without changing the margin too), so it gets deleted (it's already gone in the kernel once it expired) and recreated. See [1] for details on rekey settings. > - what does it mean "no acceptable ENCRYPTION_ALGORITHM found" on > responder side during SA renegotiation? You have two ESP proposals configured on the responder, one with AEAD algorithms (AES-GCM) and one with classic algorithms (AES-CBC + HMAC). The first one doesn't match the client's proposal, as it only proposes AES-CBC. Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey
