[strongSwan-dev] Rekey Question

Martin Willi martin at strongswan.org
Fri Jul 26 13:23:33 CEST 2013


> Actually we were wondering if it is possible to only have a IKE_SA 
> rekeying without rekeying also the associated CHILD_SA.

There is currently no such option in ipsec.conf, as rekey=no disables
rekeying for both IKE and CHILD_SAs.

You can, however, just use a very large value for lifetime, such as
lifetime=365d or something. The 24h maximum mentioned in ipsec.conf is
actually not enforced anymore.

Regards
Martin





More information about the Dev mailing list