Hello all,<br><br>It is my first post and I would like to thank the strongSwan creators and all who contribute to this excellent suite of tools. <br>I've been watching almost all e-mails and I'm impressed by the almost immediate response of Andreas, Willi, Tobias <br>
<br>I have a couple of questions:<br><br>Q1:<br>===<br>If someone could supply me with a group of a couple of thousands of cryptographically ideal keys (statistically independent, FIPS 140-2, etc.) and also guarantee that the keys could be safely distributed to all peers then if I use these keys as PSK this is what really happens:<br>
<br>The PSK keys will be used to derive all SKEYSEED values SK_x but the actual mathematical characteristics of the given group of cryptokeys will not be inherited to the keys used by the CHILD_SA because DH is the base mechanism for the creation of the "traffic keys".<br>
<br>How could I take advantage of the "given ideal keys" ?<br>Is it possible to use the DH derived keys as an index to the pool of those "ideal keys"?<br><br><br>Q2:<br>===<br>I've been testing the following scenario: <br>
(test pc:192.168.123.23)->192.168.123.223---192.168.2.23===back-to-back===192.168.2.24---192.168.124.224->(test pc:192.168.124.24)<br><br>After many hours (14h appx.) of continuous but low traffic (0.01%, that is about 15 packets/sec),<br>
I received the debug messages:<br><br>charon: 08[DMN] thread 10 received 11<br>charon: 08[DMN] killing ourself, received critical signal<br><br>while the configuration is like that:<br><br>config setup<br> plutostart=no<br>
charonstart=yes<br> charondebug=all<br>conn %default<br> ikelifetime=1h<br> keylife=8m<br> rekeymargin=2m<br> keyingtries=%forever<br> authby=secret<br> keyexchange=ikev2<br>
mobike=no<br> esp=aes256-sha2_256-modp2048!<br> ike=aes256-sha2_256-modp2048!<br> inactivity=10m<br>conn net23-net24-1222<br> left=192.168.2.223<br> leftsubnet=<a href="http://192.168.123.0/24">192.168.123.0/24</a><br>
leftid=device23<br> leftfirewall= yes<br> right=192.168.2.224<br> rightsubnet=<a href="http://192.168.124.0/24">192.168.124.0/24</a><br> rightid=device24<br> auto=route<br> <br>
I've seen the same messages (Bug#614105, regarding version 4.5.0-1)<br><br>but I'm using 4.4.1 and was quite stable from the beginning, even under heavy stress <br>(rfc2544, tens of peers each with a couple of sub-nets)<br>
<br>Should I blame the short keylife (8m) ?<br>Is it possible that the rekey happens at 4m (rekeyfuzz=100%) and the time left is not enough to make all calculations?<br><br><br>I would appreciate any help,<br>Best Regards,<br>
Nikos<br><br><br>