1 This scenario tests <b>make-before-break reauthentication</b> using overlapping
2 IKE_SAs by setting the <i>make_before_break</i> strongswan.conf option. The
3 initiator <b>carol</b> reauthenticates the IKE_SA with host <b>moon</b>, but does
4 not close the old IKE_SA before the replacement CHILD_SA is in place.
6 Because the responder is always able to install CHILD_SAs before the initiator
7 is, some traffic sent by the responder over such a CHILD_SA might get dropped by
8 the initiator (until it also installed the CHILD_SA). This is particularly
9 problematic if OCSP/CRL checks are delayed or if they can also be done via the
10 IPsec tunnel once it's established. Therefore, online OCSP/CRL checks are
11 suspended during the reauthentication and done afterwards. This is verified here
12 by revoking the responder's certificate after the SA got initially established.