[strongSwan] Ikelifetime Setting and Reauthentication.
Jessie Liu
iamnotjessie at yahoo.com.tw
Mon Jun 28 06:37:51 CEST 2010
Dear all, Recently I am doing some tests about ikelifetime and keylife settings in ipsec.conf.I am using version strongswan-4.3.2. client uses EAP authentication and security gateway uses public key authentication.In security gateway, ikelifetime and keylife are not set.In the following cases, the console logs and "ipsec statusall" log are from client.
(1)In client, I set ikelifetime=36000 (10 hours) and set no keylife and then initiates the connection to security gateway.
I found that in the tunnel setup process, the log will show the following two lines
scheduling reauthentication in 35355s maximum IKE_SA lifetime 35895s
and ipsec statusall will show......................................, EAP reauthentication in 2 hours................................, rekeying in 41 minutes, ...............................
(2)And in the next test, I remove ikelifetime=36000 (10 hours) in ipsec.conf in client andremain other settings in client and security gateway. So there is not ikelifetime and keylife settings in both client and gateway right now.
The log shows
scheduling reauthentication in 10203s maximum IKE_SA lifetime 10743s
and ipsec statusall will show......................................, EAP reauthentication in 2 hours................................, rekeying in 50 minutes, ...............................
What is the relatio between ikelifetime setting and EAP reauthentication?It seems EAP authentication will occur at least every 2 hours (if rekey enbaled) even if ikelifetime is greater 2 hours? This is the upper bound of strongswan setting?Will the transmitted data packets be lost when IKE_SA rekeying or Child_SA rekeying happened?
(3)Following (2) setting (no ikelifetime and keylife in both client and gw), if I add reauth=no and rekey=no in both client and security gateway,the log "scheduling reauthentication" and "maximum IKE_SA lifetime" will NOT shown on the consoleand ipsec statusall will show
......................................, rekeying disabled................................, rekeying disabled, ...............................
In this case, IKE_SA and Child_SA will not rekey forever? So this reduces the security level due to the lack of rekeying?
Thank you all. ^______^
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100628/b8a63a1c/attachment.html>
More information about the Users
mailing list