strongSwan KVM Tests / ikev2 / reauth-mbb-revoked
Test ikev2/reauth-mbb-revoked
Description
This scenario tests make-before-break reauthentication using overlapping IKE_SAs by setting the make_before_break strongswan.conf option. The initiator carol reauthenticates the IKE_SA with host moon, but does not close the old IKE_SA before the replacement CHILD_SA is in place. Because the responder is always able to install CHILD_SAs before the initiator is, some traffic sent by the responder over such a CHILD_SA might get dropped by the initiator (until it also installed the CHILD_SA). This is particularly problematic if OCSP/CRL checks are delayed or if they can also be done via the IPsec tunnel once it's established. Therefore, online OCSP/CRL checks are suspended during the reauthentication and done afterwards. This is verified here by revoking the responder's certificate after the SA got initially established.