<div dir="ltr"><div><div><div><div><div><div><div>Hi<br><br></div>I have a network setup for ipsec tunnels as in attached txt doc (also contains other info such as syslogs, "ipsec.conf" configs, etc)<br><br></div>Its a setup with a central-gw behind which there is a file-server. There are about 3 branches (gw2/gw3/gw4) which establish a site-to-site ipsec tunnels to the central-gw and all the pcs behind each of these remote-peer-gws send/recieve udp traffic to the file-server behind the central-gw<br><br></div>Now my observation on one of the branch-Gws (its seen on all the remote-branch-gws) for the output of "ipsec statusall" command is as below:<br>================================<br>root@OpenWrt:/etc# ipsec statusall<br>Status of IKE charon daemon (strongSwan 5.0.4, Linux 3.2.26, armv7l):<br> uptime: 2 hours, since May 24 14:00:01 2015<br> malloc: sbrk 249856, mmap 0, used 119272, free 130584<br> worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0, scheduled: 5<br> loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pgp dnskey pem fips-prf gmp xcbc hmac attr kernel-pfkeyc<br>Listening IP addresses:<br> 169.254.0.1<br> 2.2.2.4<br> 2006::4<br> 192.168.9.1<br> 2018::9<br>Connections:<br> mainconn1: 2.2.2.4...172.16.10.2 IKEv2, dpddelay=30s<br> mainconn1: local: [C=IN, O=strongSwan, CN=gateway3] uses public key authentication<br> mainconn1: cert: "C=IN, O=strongSwan, CN=gateway3"<br> mainconn1: remote: [C=IN, O=strongSwan, CN=gateway1] uses public key authentication<br> mainconn1: child: <a href="http://192.168.9.0/24">192.168.9.0/24</a> === <a href="http://192.168.10.0/24">192.168.10.0/24</a> TUNNEL, dpdaction=restart<br>Routed Connections:<br> mainconn1{1}: ROUTED, TUNNEL<br> mainconn1{1}: <a href="http://192.168.9.0/24">192.168.9.0/24</a> === <a href="http://192.168.10.0/24">192.168.10.0/24</a><br>Security Associations (1 up, 0 connecting):<br> mainconn1[8]: ESTABLISHED 8 minutes ago, 2.2.2.4[C=IN, O=strongSwan, CN=gateway3]...172.16.10.2[C=IN, O=strongSwan, CN=gateway1]<br> mainconn1[8]: IKEv2 SPIs: ffd238335e9f7ba1_i* 1371e5cc4fb46730_r, rekeying in 5 minutes<br> mainconn1[8]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096<br> mainconn1{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: c6dd7c96_i c3b29204_o<br> mainconn1{1}: AES_CBC_256/HMAC_SHA1_96, 61233208 bytes_i (0 pkts, 522s ago), 65250496 bytes_o (0 pkts, 522s ago), rekeying disabled<br> mainconn1{1}: <a href="http://192.168.9.0/24">192.168.9.0/24</a> === <a href="http://192.168.10.0/24">192.168.10.0/24</a><br>root@OpenWrt:/etc#<br>===========================================<br><br></div></div>If you refer to the configs used on central-gw and branch-gw3, you will see that i have set smaller lifetimes on the branch-gw and a larger lifetime on central-gw. This was to ensure that the rekeying is initiated from only one end always<br></div><br></div><div>Also the dpdaction=clear setting is used only on cental-gw, whereas the brach-gws have the setting of "dpdaction=restart"<br><br> I have not changed any default settings for rekey (it is yes by
default), but then again we see this "rekeying disabled" message. Why is
this shown? Whats the significance or meaning of this output? Is my
config wrong somewhere?<br><br></div><div>thanks & regards<br></div><div>rajiv<br><br></div><div>PS: my suggestion is to please "Textpad" to open/read the attached txt file.<br></div><div><div><div><div><br></div></div></div></div></div>