<table cellspacing="0" cellpadding="0" border="0" ><tr><td valign="top" style="font: inherit;"><div>Dear all,</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>Recently I am doing some tests about ikelifetime and keylife settings in ipsec.conf.</div><div>I am using version strongswan-4.3.2. client uses EAP authentication and security gateway uses public key authentication.</div><div>In security gateway, ikelifetime and keylife are not set.</div><div>In the following cases, the console logs and "ipsec statusall" log are from client.</div><div><br></div><div>(1)</div><div>In client, I set ikelifetime=36000 (10 hours) and set no keylife </div><div>and then initiates the connection to security gateway.</div><div><br></div><div>I found that in the tunnel setup process, the log will show the following two lines</div><div><br></div><div> scheduling reauthentication in 35355s</div><div>
maximum IKE_SA lifetime 35895s</div><div><br></div><div>and ipsec statusall will show</div><div>......................</div><div>................, EAP reauthentication in 2 hours</div><div>...................</div><div>............., rekeying in 41 minutes, ........</div><div>.......................</div><div><br></div><div>(2)</div><div>And in the next test, I remove ikelifetime=36000 (10 hours) in ipsec.conf in client and</div><div>remain other settings in client and security gateway. So there is not ikelifetime and keylife settings in both client and gateway right now.</div><div><br></div><div>The log shows</div><div><br></div><div> scheduling reauthentication in 10203s</div><div> maximum IKE_SA lifetime 10743s</div><div><br></div><div>and ipsec statusall will show</div><div>......................</div><div>................, EAP reauthentication in 2
hours</div><div>...................</div><div>............., rekeying in 50 minutes, ........</div><div>.......................</div><div><br></div><div>What is the relatio between ikelifetime setting and EAP reauthentication?</div><div>It seems EAP authentication will occur at least every 2 hours (if rekey enbaled) even if ikelifetime is greater 2 hours? </div><div>This is the upper bound of strongswan setting?</div><div>Will the transmitted data packets be lost when IKE_SA rekeying or Child_SA rekeying happened?</div><div><br></div><div>(3)</div><div>Following (2) setting (no ikelifetime and keylife in both client and gw), </div><div>if I add reauth=no and rekey=no in both client and security gateway,</div><div>the log "scheduling reauthentication" and "maximum IKE_SA lifetime" will NOT shown on the console</div><div>and ipsec statusall will show</div><div><br></div><div>......................</div><div>................, rekeying
disabled</div><div>...................</div><div>............., rekeying disabled, ........</div><div>.......................</div><div><br></div><div>In this case, IKE_SA and Child_SA will not rekey forever? </div><div>So this reduces the security level due to the lack of rekeying?</div><div><br></div><div>Thank you all. ^______^</div></td></tr></table><br>