ikev2: Trigger make-before-break reauthentication instead of reauth task

author: Martin Willi <martin@revosec.ch> 2014-11-03 16:37:29 +0100
committer: Martin Willi <martin@revosec.ch> 2015-02-20 13:34:57 +0100
commit: 349f7f24120cf00d499a34abe01fc7c19ec39ecf (patch)
tree: 3479bd64665e3ae1c1d750b3fbf5066d92b5b2b2 /conf
parent: c8e7dbcb563fddda26f85110e0b46cdd6173651f (diff)
download: strongswan-349f7f24120cf00d499a34abe01fc7c19ec39ecf.tar.bz2
strongswan-349f7f24120cf00d499a34abe01fc7c19ec39ecf.tar.xz
1 files changed, 10 insertions, 0 deletions
diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index 02629a3f4..fc38a1451 100644
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -196,6 +196,16 @@ charon.load_modular = no
 charon.max_packet = 10000
 	Maximum packet size accepted by charon.
 
+charon.make_before_break = no
+	Initiate IKEv2 reauthentication with a make-before-break scheme.
+
+	Initiate IKEv2 reauthentication with a make-before-break instead of a
+	break-before-make scheme. Make-before-break uses overlapping IKE and
+	CHILD_SA during reauthentication by first recreating all new SAs before
+	deleting the old ones. This behavior can be beneficial to avoid connectivity
+	gaps during reauthentication, but requires support for overlapping SAs by
+	the peer. strongSwan can handle such overlapping SAs since version 5.3.0.
+
 charon.mem-pool.reassign_online = no
 	Reassign an online IP address lease from an in-memory address pool if a
 	client with the same identity requests it explicitly.
author	Martin Willi <martin@revosec.ch>	2014-11-03 16:37:29 +0100
committer	Martin Willi <martin@revosec.ch>	2015-02-20 13:34:57 +0100
commit	349f7f24120cf00d499a34abe01fc7c19ec39ecf (patch)
tree	3479bd64665e3ae1c1d750b3fbf5066d92b5b2b2 /conf
parent	c8e7dbcb563fddda26f85110e0b46cdd6173651f (diff)
download	strongswan-349f7f24120cf00d499a34abe01fc7c19ec39ecf.tar.bz2 strongswan-349f7f24120cf00d499a34abe01fc7c19ec39ecf.tar.xz