[strongSwan] Ikelifetime Setting and Reauthentication.

Jessie Liu iamnotjessie at yahoo.com.tw
Mon Jun 28 12:15:53 CEST 2010


Dear Martin,    Thanks for your reply. ^______^I have another question:Will the transmitted data packets be lost during IKE_SA rekeying or Child_SA rekeying?We tried to send packets continuously (ping) through the ipsec tunnel, but about every 50 minutes, the link down occurred and then recovered.The rekeying process should not affect the transmitted data packets as there is a time period in which the old SA and the new SA are overlapped.The kernel usually uses the newer SA for outgoing packets, but accepts
incoming packets on both SAs, as said in http://www.mail-archive.com/users@lists.strongswan.org/msg00923.htmlWhy will the ping down problem occur?Thanks!LinkUp__ 2010/06/04 22:23:05 1275661385
LinkDown 2010/06/04 23:16:30 1275664590
LinkUp__ 2010/06/04 23:16:31 1275664591
LinkDown 2010/06/05 00:07:42 1275667662
LinkUp__ 2010/06/05 00:07:42 1275667662
LinkDown 2010/06/05 01:01:16 1275670876




--- 10/6/28 (一),Martin Willi <martin at strongswan.org> 寫道:

寄件者: Martin Willi <martin at strongswan.org>
主旨: Re: [strongSwan] Ikelifetime Setting and Reauthentication.
收件者: "Jessie Liu" <iamnotjessie at yahoo.com.tw>
副本: users at lists.strongswan.org
日期: 2010年6月28日,一,下午3:23

Hi,

> In security gateway, ikelifetime and keylife are not set.

Not set means: use the default lifetimes.

> (2) [...] So there is not ikelifetime and keylife settings in both
> client and gateway right now.

The gateway still uses the default reauthentication interval. As we
support the repeated authentication extension (RFC4478), the lifetime is
negotiated to the client. The client therefore does

> EAP reauthentication in 2 hours


> What is the relatio between ikelifetime setting and EAP
> reauthentication?

There is no direct relation. But as the EAP reauthentication can be
trigger by the initiator only, the gateway sends its lifetime to client.
The client then enforces the reauthentication policy configured at the
server.

> In this case, IKE_SA and Child_SA will not rekey forever?  So this
> reduces the security level due to the lack of rekeying?

Yes and yes.

Regards
Martin




      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100628/c4930d0e/attachment.html>


More information about the Users mailing list