[strongSwan] Ikelifetime Setting and Reauthentication.

Martin Willi martin at strongswan.org
Mon Jun 28 09:23:30 CEST 2010


Hi,

> In security gateway, ikelifetime and keylife are not set.

Not set means: use the default lifetimes.

> (2) [...] So there is not ikelifetime and keylife settings in both
> client and gateway right now.

The gateway still uses the default reauthentication interval. As we
support the repeated authentication extension (RFC4478), the lifetime is
negotiated to the client. The client therefore does

> EAP reauthentication in 2 hours


> What is the relatio between ikelifetime setting and EAP
> reauthentication?

There is no direct relation. But as the EAP reauthentication can be
trigger by the initiator only, the gateway sends its lifetime to client.
The client then enforces the reauthentication policy configured at the
server.

> In this case, IKE_SA and Child_SA will not rekey forever?  So this
> reduces the security level due to the lack of rekeying?

Yes and yes.

Regards
Martin





More information about the Users mailing list