diff --git a/src/starter/confread.c b/src/starter/confread.c
index a7db61625..cc2c98186 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -67,8 +67,7 @@ static void default_values(starter_config_t *cfg)
 	cfg->conn_default.seen    = LEMPTY;
 	cfg->conn_default.startup = STARTUP_NO;
 	cfg->conn_default.state   = STATE_IGNORE;
-	cfg->conn_default.policy  = POLICY_ENCRYPT | POLICY_TUNNEL | POLICY_RSASIG |
-									POLICY_PFS | POLICY_REAUTH;
+	cfg->conn_default.policy  = POLICY_ENCRYPT | POLICY_TUNNEL | POLICY_RSASIG | POLICY_PFS ;
 
 	cfg->conn_default.ike                   = clone_str(ike_defaults, "ike_defaults");
 	cfg->conn_default.esp                   = clone_str(esp_defaults, "esp_defaults");
@@ -449,7 +448,7 @@ load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg)
 			KW_POLICY_FLAG("no", "yes", POLICY_DONT_REKEY)
 			break;
 		case KW_REAUTH:
-			KW_POLICY_FLAG("yes", "no", POLICY_REAUTH)
+			KW_POLICY_FLAG("no", "yes", POLICY_DONT_REAUTH)
 			break;
 		case KW_MODECONFIG:
 			KW_POLICY_FLAG("push", "pull", POLICY_MODECFG_PUSH)
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index 41f67c891..dc81acf8a 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -206,7 +206,7 @@ int starter_stroke_add_conn(starter_conn_t *conn)
 	}
 	else
 	{
-		msg.add_conn.rekey.reauth = (conn->policy & POLICY_REAUTH);	
+		msg.add_conn.rekey.reauth = (conn->policy & POLICY_DONT_REAUTH) == LEMPTY;
 		msg.add_conn.rekey.ipsec_lifetime = conn->sa_ipsec_life_seconds;
 		msg.add_conn.rekey.ike_lifetime = conn->sa_ike_life_seconds;
 		msg.add_conn.rekey.margin = conn->sa_rekey_margin;