[strongSwan] Ikelifetime Setting and Reauthentication.

Jessie Liu iamnotjessie at yahoo.com.tw
Tue Jun 29 06:38:15 CEST 2010

Dear all,
        Update the previous letter:
I found that IKE_SA and Child_SA rekeying will not affect the transmitted data packets, but EAP reauthentication will. I added "reauth=no" in client, and did NOT add "reauth=no" in security gateway, EAP authentication still happened after 2 hours.
EAP reauthentication will cause packet loss but I have no idea how to avoid EAP reauthentication without controlling the behavior of security gateway?

--- 10/6/28 (一),Martin Willi <martin at strongswan.org> 寫道:

寄件者: Martin Willi <martin at strongswan.org>
主旨: Re: [strongSwan] Ikelifetime Setting and Reauthentication.
收件者: "Jessie Liu" <iamnotjessie at yahoo.com.tw>
副本: users at lists.strongswan.org
日期: 2010年6月28日,一,下午3:23


> In security gateway, ikelifetime and keylife are not set.

Not set means: use the default lifetimes.

> (2) [...] So there is not ikelifetime and keylife settings in both
> client and gateway right now.

The gateway still uses the default reauthentication interval. As we
support the repeated authentication extension (RFC4478), the lifetime is
negotiated to the client. The client therefore does

> EAP reauthentication in 2 hours

> What is the relatio between ikelifetime setting and EAP
> reauthentication?

There is no direct relation. But as the EAP reauthentication can be
trigger by the initiator only, the gateway sends its lifetime to client.
The client then enforces the reauthentication policy configured at the

> In this case, IKE_SA and Child_SA will not rekey forever?  So this
> reduces the security level due to the lack of rekeying?

Yes and yes.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100629/1ae0b5b9/attachment.html>

More information about the Users mailing list