Issue #857
Is IKE-SA reauthentication without data packet drops possible?
Description
I am testing a new proprietary IKEv2 implementation for interworking compatibility with StrongSwan,
using v5.2.2 on Linux. Our implementation is able to reauthenticate the IKE-SA without drops
when interworking with itself, as described in RFC 7296 section 7.2.3, by negotiating a new IKE-SA
with new child, leaving the old IKE-SA in place, and when complete deleting the old IKE-SA and child.
I seem unable to configure StrongSwan to enable this seamless reauthentication, however. Am I missing
some configuration detail, or is this a shortcoming of the StrongSwan implementation (or possibly the
Linux kernel IPsec implementation)?
Using default configuration parameters, when StrongSwan decides to initiate reauthentication it first
closes the old SA. If instead the peer (our new implementation) decides to initiate reauthentcation,
StrongSwan again deletes the old SA before the new one is completely constructed, as a result of the
default uniqueids=yes setting. Changing to uniqueids=no however does not help, as although that
now leaves the old SA in place, the new SA's child fails to get created by StrongSwan as the kernel
rejects the IPsec policy, as it conflicts (is identical with) the old child policy.
I would be surprised if a standard StrongSwan VPN regularly drops the data connection, even momentarily,
when reauthentication is due (every 3 hours by default), so I'm hoping I am missing something obvious.
Related issues
History
#1 Updated by Tobias Brunner over 10 years ago
- Status changed from New to Feedback
I seem unable to configure StrongSwan to enable this seamless reauthentication, however. Am I missing
some configuration detail, or is this a shortcoming of the StrongSwan implementation (or possibly the
Linux kernel IPsec implementation)?
The next release will support make-before-break reauthentication. Please try the code from the current master. You may enable support for it with the charon.make_before_break option in strongswan.conf.
I would be surprised if a standard StrongSwan VPN regularly drops the data connection, even momentarily,
when reauthentication is due (every 3 hours by default), so I'm hoping I am missing something obvious.
That has actually been the default behavior for IKEv2 so far. We usually recommended to use IKE rekeying instead of reauthentication (reauth=no).
#2 Updated by Cliff Hones over 10 years ago
That is excellent news! I have just rebuilt from git master and enabled make_before_break,
and initial testing confirms this is working as expected (peering with our own IKEv2).
I have only tested in one direction so far (our end instigating reauthentication). As this
is new code and you may be interested to see how it interworks with non-StrongSwan implementations
I shall update with any further findings.
#3 Updated by Tobias Brunner about 10 years ago
- Status changed from Feedback to Closed
- Assignee set to Tobias Brunner
- Resolution set to No feedback
#4 Updated by Tobias Brunner over 9 years ago
- Has duplicate Issue #1395: Why does strongswan delete the old SAs before New SAs established during reauth, which leads to a possible traffic interruption. added