Description: Tested the ikev2 reauthentication in 1.4.1 and recent 1.5 version and it does not seem to work.
Initiator:
set vpn ipsec authentication psk VPN_01 id '10.110.2.52' set vpn ipsec authentication psk VPN_01 secret 'vyos' set vpn ipsec esp-group esp01 lifetime '1800' set vpn ipsec esp-group esp01 mode 'tunnel' set vpn ipsec esp-group esp01 pfs 'dh-group19' set vpn ipsec esp-group esp01 proposal 10 encryption 'aes128' set vpn ipsec esp-group esp01 proposal 10 hash 'sha512' set vpn ipsec ike-group IKEv2_re ikev2-reauth set vpn ipsec ike-group IKEv2_re key-exchange 'ikev2' set vpn ipsec ike-group IKEv2_re lifetime '3600' set vpn ipsec ike-group IKEv2_re proposal 10 dh-group '20' set vpn ipsec ike-group IKEv2_re proposal 10 encryption 'aes256' set vpn ipsec ike-group IKEv2_re proposal 10 hash 'sha512' set vpn ipsec interface 'eth0' set vpn ipsec options disable-route-autoinstall set vpn ipsec site-to-site peer vpn_01 authentication local-id '10.110.2.52' set vpn ipsec site-to-site peer vpn_01 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer vpn_01 authentication remote-id '10.110.1.52' set vpn ipsec site-to-site peer vpn_01 ike-group 'IKEv2_re' set vpn ipsec site-to-site peer vpn_01 ikev2-reauth 'yes' set vpn ipsec site-to-site peer vpn_01 local-address '10.110.2.52' set vpn ipsec site-to-site peer vpn_01 remote-address '10.110.1.52' set vpn ipsec site-to-site peer vpn_01 vti bind 'vti01' set vpn ipsec site-to-site peer vpn_01 vti esp-group 'esp01'
Responder:
set vpn ipsec esp-group esp01 lifetime '1800' set vpn ipsec esp-group esp01 mode 'tunnel' set vpn ipsec esp-group esp01 pfs 'dh-group19' set vpn ipsec esp-group esp01 proposal 10 encryption 'aes128' set vpn ipsec esp-group esp01 proposal 10 hash 'sha512' set vpn ipsec ike-group IKEv2_re ikev2-reauth set vpn ipsec ike-group IKEv2_re key-exchange 'ikev2' set vpn ipsec ike-group IKEv2_re lifetime '3600' set vpn ipsec ike-group IKEv2_re proposal 10 dh-group '20' set vpn ipsec ike-group IKEv2_re proposal 10 encryption 'aes256' set vpn ipsec ike-group IKEv2_re proposal 10 hash 'sha512' set vpn ipsec interface 'eth0' set vpn ipsec options disable-route-autoinstall set vpn ipsec site-to-site peer vpn_02 authentication local-id '10.110.1.52' set vpn ipsec site-to-site peer vpn_02 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer vpn_02 authentication remote-id '10.110.2.52' set vpn ipsec site-to-site peer vpn_02 connection-type 'respond' set vpn ipsec site-to-site peer vpn_02 ike-group 'IKEv2_re' set vpn ipsec site-to-site peer vpn_02 ikev2-reauth 'yes' set vpn ipsec site-to-site peer vpn_02 local-address '10.110.1.52' set vpn ipsec site-to-site peer vpn_02 remote-address '10.110.2.52' set vpn ipsec site-to-site peer vpn_02 vti bind 'vti01' set vpn ipsec site-to-site peer vpn_02 vti esp-group 'esp01'
Output:
vpn_01: #162, ESTABLISHED, IKEv2, 33477fa8a3a7a1c5_i* b3f8d0c85845d273_r
local '10.110.2.52' @ 10.110.2.52[4500]
remote '10.110.1.52' @ 10.110.1.52[4500]
AES_CBC-256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_384
established 1628s ago, rekeying in 1947s
vpn_01-vti: #166, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA2_512_256/ECP_256
installed 427s ago, rekeying in 1096s, expires in 1373s
in cb90c4df (-|0x00000002), 5040 bytes, 60 packets, 17s ago
out c885700d (-|0x00000002), 5040 bytes, 60 packets, 15s ago
local 0.0.0.0/0 ::/0
remote 0.0.0.0/0 ::/0reauth_time is not added in the connected status and no logs found for reauthentication.
Attached swanctl.conf file{F15268923}
Strongswan does seem to support reauthentication:
https://docs.strongswan.org/docs/5.9/config/rekeying.html#_reauthentication