IKE reauthentication and certificate expiry handling #298

krishnamurthyvd · 2021-03-31T11:27:53Z

krishnamurthyvd
Mar 31, 2021

In our strongswan IKE deployment, we have certificates placed under /etc/ipsec.d. We have reauthentication enabled once every 4 hrs.
We intend to refresh the certs every 3 months. Basically certs expire every 3 months. The new certs are placed under same /etc/ipsec.d. So the question here is that

Will IKE drop the IKE session during re-authentication if the certs have expired?
Will IKE reload/read the new certs during reauthentication or should the new certs be reloaded manually ?

Thermi · 2021-03-31T11:40:08Z

Thermi
Mar 31, 2021

Only the remote's certs are checked.
The latter, and the expired local cert should be removed beforehand. The certificate files do not need to persist after they were initially read by the daemon. They are kept in memory.

2 replies

krishnamurthyvd Mar 31, 2021
Author

So the old certs need to be replaced and new certs reloaded before the reauthentication starts. Is that right? There is no option to reload it as IKE knows that a cert has expired?

Thermi Mar 31, 2021

Exactly.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

IKE reauthentication and certificate expiry handling #298

{{title}}

Replies: 1 comment 2 replies

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

Select a reply

IKE reauthentication and certificate expiry handling #298

krishnamurthyvd Mar 31, 2021

Replies: 1 comment · 2 replies

Thermi Mar 31, 2021

krishnamurthyvd Mar 31, 2021 Author

Thermi Mar 31, 2021

krishnamurthyvd
Mar 31, 2021

Replies: 1 comment 2 replies

Thermi
Mar 31, 2021

krishnamurthyvd Mar 31, 2021
Author