New advanced setting required for StrongSwan 5.3 [RFC7296]
-
duplicate question: [ [url=https://forum.pfsense.org/index.php?topic=92453.0]2.2.2 Make-before-Break ]
With the 5.3.0 release:Added support for IKEv2 make-before-break reauthentication. By using a global
CHILD_SA reqid allocation mechanism, charon supports overlapping CHILD_SAs.
This allows the use of make-before-break instead of the previously supported
break-before-make reauthentication, avoiding connectivity gaps during that
procedure. As the new mechanism may fail with peers not supporting it (such
as any previous strongSwan release) it must be explicitly enabled using
the charon.make_before_break strongswan.conf option.https://wiki.strongswan.org/projects/1/wiki/StrongswanConf
Alas support cannot be toggled per connection.
Here is related bug report of interest for interop support:
https://wiki.strongswan.org/issues/857
-
Already there with 2.2.3 snapshots.