[strongSwan-dev] ISAKMP SA lifetime, Mode Config, and DHCP

Thor Simon Thor.Simon at twosigma.com
Thu Apr 5 18:22:42 CEST 2018

Thanks for your comments!  It sounds to me like the best (practically, nearly the only) way, then, is:

>> 3) Artificially constrain the effective phase 1 SA lifetime server-side so that the server tries to renew the phase 1 before the DHCP lease expires.  This should still trigger a new config pull by the client.
>>  * This is an abstraction violation - the DHCP plugin would have to 
>>  find the relevant client state and mess with it directly, unless the 
>>  plugin's API were changed as per #1 above
> The server can't reauthenticate in all cases (in particular with asymmetric authentication, or with IKEv2 and virtual IPs).  But with
> IKEv2 you could pass the lease time to the IKE_SA (via
> set_auth_lifetime() method), which would then request the client to reauthenticate before this (if it supports > RFC 4478, otherwise the server will close the IKE_SA when it expires if the client did not reauthenticate before > that).

The DHCP provider's acquire method gets the ike_sa so it looks like this should be relatively straightforward.  We'll give it a try!

My remarks on tying things to the phase 2 SA were based on what may have been a misunderstanding of 3.4 and 4 in the original mode config draft.  In any case, it sounds like we may have a method that should work, at least for StrongSwan server and client.  Thanks!


More information about the Dev mailing list