There is outdated information in the description to option "ikev2-reauth" (Currently broken due to a strong swan bug)
[edit] vyos@vyos# set vpn ipsec ike-group office-srv-ike ikev2-reauth Possible completions: yes Enable remote host re-autentication during an IKE rekey. Currently broken due to a strong swan bug no Disable remote host re-authenticaton during an IKE rekey. (Default)
I have tested this option and reauthentication is working.
ep 13 08:48:29 vyos charon[5270]: 13[NET] <1868> received packet: from 192.168.139.101[4500] to 192.168.139.100[4500] (336 bytes) Sep 13 08:48:29 vyos charon[5270]: 13[ENC] <1868> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Sep 13 08:48:29 vyos charon[5270]: 13[IKE] <1868> 192.168.139.101 is initiating an IKE_SA Sep 13 08:48:29 vyos charon[5270]: 13[CFG] <1868> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Sep 13 08:48:29 vyos charon[5270]: 13[ENC] <1868> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ] Sep 13 08:48:29 vyos charon[5270]: 13[NET] <1868> sending packet: from 192.168.139.100[4500] to 192.168.139.101[4500] (336 bytes) Sep 13 08:48:29 vyos charon[5270]: 16[NET] <1868> received packet: from 192.168.139.101[4500] to 192.168.139.100[4500] (268 bytes) Sep 13 08:48:29 vyos charon[5270]: 16[ENC] <1868> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] Sep 13 08:48:29 vyos charon[5270]: 16[CFG] <1868> looking for peer configs matching 192.168.139.100[192.168.139.100]...192.168.139.101[192.168.139.101] Sep 13 08:48:29 vyos charon[5270]: 16[CFG] <peer-192.168.139.101-tunnel-0|1868> selected peer config 'peer-192.168.139.101-tunnel-0' Sep 13 08:48:29 vyos charon[5270]: 16[IKE] <peer-192.168.139.101-tunnel-0|1868> authentication of '192.168.139.101' with pre-shared key successful Sep 13 08:48:29 vyos charon[5270]: 16[IKE] <peer-192.168.139.101-tunnel-0|1868> peer supports MOBIKE Sep 13 08:48:29 vyos charon[5270]: 16[IKE] <peer-192.168.139.101-tunnel-0|1868> authentication of '192.168.139.100' (myself) with pre-shared key Sep 13 08:48:29 vyos charon[5270]: 16[IKE] <peer-192.168.139.101-tunnel-0|1868> IKE_SA peer-192.168.139.101-tunnel-0[1868] established between 192.168.139.100[192.168.139.100]...192.168.139.101[192.168.139.101] Sep 13 08:48:29 vyos charon[5270]: 16[IKE] <peer-192.168.139.101-tunnel-0|1868> scheduling reauthentication in 210s Sep 13 08:48:29 vyos charon[5270]: 16[IKE] <peer-192.168.139.101-tunnel-0|1868> maximum IKE_SA lifetime 299s
peer-192.168.139.101-tunnel-0: #1878, ESTABLISHED, IKEv2, f7efc7cdae804e47_i 89233047995a7195_r* local '192.168.139.100' @ 192.168.139.100[4500] remote '192.168.139.101' @ 192.168.139.101[4500] AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 established 10s ago, reauth in 258s peer-192.168.139.101-tunnel-0: #3705, reqid 1877, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA1_96 installed 10s ago, rekeying in 36s, expires in 170s in c225d88d, 0 bytes, 0 packets out cb6c83e9, 0 bytes, 0 packets local 192.168.200.0/24 remote 172.31.0.0/16 peer-192.168.139.101-tunnel-0: #3706, reqid 1877, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_1024 installed 10s ago, rekeying in 34s, expires in 170s in cdea6779, 0 bytes, 0 packets out c5f743fd, 0 bytes, 0 packets local 192.168.200.0/24 remote 172.31.0.0/16