Hi Andreas,<br><br> Ok Pluto daemon is for IKEV1 . But here whatever SADs i have mentioned they are for charon .<br><br>Thanks,<br>Reshma<br><br><div class="gmail_quote">On Mon, Apr 2, 2012 at 4:21 PM, Andreas Steffen <span dir="ltr"><<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello Reshma,<br>
<br>
the IKEv1 pluto daemon does not set the lifetime fields<br>
in the Linux kernel:<br>
<br>
<a href="http://www.strongswan.org/uml/testresults/ikev1/net2net-cert/moon.ip.state" target="_blank">http://www.strongswan.org/uml/testresults/ikev1/net2net-cert/moon.ip.state</a><br>
<br>
whereas the IKEv2 charon daemon does:<br>
<br>
<a href="http://www.strongswan.org/uml/testresults/ikev2/net2net-cert/moon.ip.state" target="_blank">http://www.strongswan.org/uml/testresults/ikev2/net2net-cert/moon.ip.state</a><br>
<br>
This has historic reasons. pluto goes a long way back to the<br>
FreeS/WAN project which with KLIPS had an IPsec stack implementation<br>
of its own. The Phase 2 rekeying is managed by the daemon's userland<br>
event scheduler.<br>
<br>
Our IKEv2 charon daemon subscribes to XFRM events generated by the<br>
Linux kernel which are triggered by the IPsec state's hard and soft<br>
limits.<br>
<br>
Regards<br>
<br>
Andreas<br>
<div class="im"><br>
On 02.04.2012 12:13, Reshma Begam wrote:<br>
> Hi,<br>
><br>
> I had seen soft lifetime as 0 in SAD database and when this can happen?<br>
> can some one please comment. Following are the lifetime and margin<br>
> values used in our configuration.<br>
><br>
> ikelifetime (phase1) : 3600s<br>
> keylife (pahse2) : 1800s<br>
> rekeymargin : keylifetime/10 = 1800/10<br>
> rekeyfuzz : 100%<br>
><br>
><br>
> Setkey -D<br>
> ====================<br>
> # setkey -D<br>
> source=10.69.211.113 destination=10.69.211.169<br>
> protocol=esp mode=tunnel spi=171795725(0x0a3d650d)<br>
> reqid=3(0x00000003)<br>
> encr-algo=aes-cbc<br>
> encr-key=d4ce82ab1a1a227042f7223be73992aa<br>
> auth-algo=hmac-sha1<br>
> auth-key=9813fe27b461ae4e21aa30b3c8d4d0d5e02e5beb<br>
> replay-window=32 flags=0x11000000 state=mature seq=1 pid=12331<br>
> created=2012-03-30/12:59:04 current=2012-03-30/13:20:49<br>
> elapsed=1305(s)<br>
> hard-lifetime=1800(s) expiration=2012-03-30/13:29:04<br>
</div>> * soft-lifetime=0(s) renewal=2012-03-30/12:59:04 *<br>
<div class="im">> last-use=2012-03-30/12:59:05<br>
> bytes-processed=3005251 hard-lifebyte=0 soft-lifebyte=0<br>
> vrfid=0 xvrfid=0<br>
> source=10.69.211.169 destination=10.69.211.113<br>
> protocol=esp mode=tunnel spi=3393626443(0xca46a14b)<br>
> reqid=3(0x00000003)<br>
> encr-algo=aes-cbc<br>
> encr-key=33df05abedf86b9a83a66e4f4cb47058<br>
> auth-algo=hmac-sha1<br>
> auth-key=bbaa5769f326304efe20cfb978074f1252e09f18<br>
> replay-window=32 flags=0x10000000 state=mature seq=0 pid=12331<br>
> created=2012-03-30/12:59:04 current=2012-03-30/13:20:49<br>
> elapsed=1305(s)<br>
> hard-lifetime=1800(s) expiration=2012-03-30/13:29:04<br>
> soft-lifetime=1557(s) renewal=2012-03-30/13:25:01<br>
> last-use=never<br>
> bytes-processed=2222776 hard-lifebyte=0 soft-lifebyte=0<br>
> vrfid=0 xvrfid=0<br>
><br>
><br>
> --<br>
><br>
> Regards,<br>
> Reshma<br>
<br>
</div>======================================================================<br>
<span class="HOEnZb"><font color="#888888">Andreas Steffen <a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>
strongSwan - the Linux VPN Solution! <a href="http://www.strongswan.org" target="_blank">www.strongswan.org</a><br>
Institute for Internet Technologies and Applications<br>
University of Applied Sciences Rapperswil<br>
CH-8640 Rapperswil (Switzerland)<br>
===========================================================[ITA-HSR]==<br>
<br>
</font></span></blockquote></div><br><br clear="all"><br>-- <br><div> </div>
<div>Regards,</div>
<div>Reshma</div><br>