<table cellspacing="0" cellpadding="0" border="0" ><tr><td valign="top" style="font: inherit;"><span class="Apple-style-span" style="font-size: small;">Dear Martin,</span><div><span class="Apple-style-span" style="font-size: small;"> Thanks for your reply. ^______^</span></div><div><span class="Apple-style-span" style="font-family: Arial; "><pre><font class="Apple-style-span" face="arial, helvetica, sans-serif"><span class="Apple-style-span" style="font-size: small;">I have another question:</span></font></pre><pre><font class="Apple-style-span" face="arial, helvetica, sans-serif"><span class="Apple-style-span" style="font-size: small;">Will the transmitted data packets be lost during IKE_SA </span></font><span><font class="Apple-style-span" face="arial, helvetica, sans-serif"><span class="Apple-style-span" style="font-size: small;">rekeying</span></font></span><font class="Apple-style-span" face="arial, helvetica,
sans-serif"><span class="Apple-style-span" style="font-size: small;"> or Child_SA rekeying?</span></font></pre><pre><font class="Apple-style-span" face="arial, helvetica, sans-serif"><span class="Apple-style-span" style="font-size: small;">We tried to send packets continuously (ping) through the ipsec tunnel, </span></font></pre><pre><font class="Apple-style-span" face="arial, helvetica, sans-serif"><span class="Apple-style-span" style="font-size: small;">but about every 50 minutes, the link down occurred and then recovered.</span></font></pre><pre><font class="Apple-style-span" face="arial, helvetica, sans-serif"><span class="Apple-style-span" style="font-size: small;">The rekeying process should not affect the transmitted data packets as </span></font></pre><pre><font class="Apple-style-span" face="arial, helvetica, sans-serif"><span class="Apple-style-span" style="font-size: small;">there is a time period </span></font><span
class="Apple-style-span" style="font-family: arial, helvetica, sans-serif; font-size: small; ">in which the old SA and the new SA are overlapped.</span></pre><pre><font class="Apple-style-span" face="arial, helvetica, sans-serif"><span class="Apple-style-span" style="font-size: small;">The kernel usually uses the newer SA for outgoing packets, but accepts
incoming packets on both SAs, as said in </span></font></pre><pre><font class="Apple-style-span" face="Verdana, Arial, Helvetica, sans-serif"><span class="Apple-style-span" style="white-space: normal; -webkit-border-horizontal-spacing: 1px; -webkit-border-vertical-spacing: 1px; "><font class="Apple-style-span" face="arial, helvetica, sans-serif"><span class="Apple-style-span" style="white-space: pre; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; font-size: small;"><span class="Apple-style-span" style="font-family: monospace; font-size: 13px; "><a href="http://www.mail-archive.com/users@lists.strongswan.org/msg00923.html">http://www.mail-archive.com/users@lists.strongswan.org/msg00923.html</a></span></span></font></span></font></pre><pre><font class="Apple-style-span" face="arial, helvetica, sans-serif"><span class="Apple-style-span" style="font-size: small;">Why will the ping down problem
occur?</span></font></pre><pre><font class="Apple-style-span" face="arial, helvetica, sans-serif"><span class="Apple-style-span" style="font-size: small;">Thanks!</span></font></pre><pre><font class="Apple-style-span" face="arial, helvetica, sans-serif"><span class="Apple-style-span" style="font-family: Verdana, Arial, Helvetica, sans-serif; white-space: normal; -webkit-border-horizontal-spacing: 1px; -webkit-border-vertical-spacing: 1px; ">LinkUp__ 2010/06/04 22:23:05 1275661385<br>LinkDown 2010/06/04 23:16:30 1275664590<br>LinkUp__ 2010/06/04 23:16:31 1275664591<br>LinkDown 2010/06/05 00:07:42 1275667662<br>LinkUp__ 2010/06/05 00:07:42 1275667662<br>LinkDown 2010/06/05 01:01:16 1275670876<br><br><br><br></span></font></pre></span><br>--- <b>10/6/28 (一),Martin Willi <i><martin@strongswan.org></i></b> 寫道:<br><blockquote style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; padding-left: 5px;"><br>寄件者: Martin Willi
<martin@strongswan.org><br>主旨: Re: [strongSwan] Ikelifetime Setting and Reauthentication.<br>收件者: "Jessie Liu" <iamnotjessie@yahoo.com.tw><br>副本: users@lists.strongswan.org<br>日期: 2010年6月28日,一,下午3:23<br><br><div class="plainMail">Hi,<br><br>> In security gateway, ikelifetime and keylife are not set.<br><br>Not set means: use the default lifetimes.<br><br>> (2) [...] So there is not ikelifetime and keylife settings in both<br>> client and gateway right now.<br><br>The gateway still uses the default reauthentication interval. As we<br>support the repeated authentication extension (RFC4478), the lifetime is<br>negotiated to the client. The client therefore does<br><br>> EAP reauthentication in 2 hours<br><br><br>> What is the relatio between ikelifetime setting and EAP<br>> reauthentication?<br><br>There is no direct relation. But as the EAP reauthentication can be<br>trigger by the initiator
only, the gateway sends its lifetime to client.<br>The client then enforces the reauthentication policy configured at the<br>server.<br><br>> In this case, IKE_SA and Child_SA will not rekey forever? So this<br>> reduces the security level due to the lack of rekeying?<br><br>Yes and yes.<br><br>Regards<br>Martin<br><br></div></blockquote></div></td></tr></table><br>