[strongSwan] possible bug with margin* and life* options

Christoph Anton Mitterer calestyo at scientia.net
Tue Oct 5 22:38:35 CEST 2010


I was playing around today with the margin* and life* options.

I did some testing whether there are interruptions during the time where
the key is renegotiated (any packages are lost)
(btw: Is this technically prevented?)

1) Is it true that when I e.g. specify both:
margintime = ...
marginbytes = ...
that it works like an OR, meaning the first condition that is met leads
to e.g. renegotiation?
Same with the life* options

2) Now the possible bug, mich might be at least something missing in the
documentation ;)

For the tests I set:
margintime = 9m (default)
lifetime = 1h (default)
and in addition:
marginbyte = 1000
lifebytes = 1000

The I pinged between the two hosts.

When the 1000 bytes were reached, the tunnel was lost (not the IKE
connection) and was never renegotiated.
Although I've had all those things like: keyingtries = %forever,
dpdaction = restart, rekey = yes....

This also happens when marginbyte is quite close to lifebytes.

And I guess it's the same for the *time and *packets options.

Chris :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5677 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101005/e6f1aa23/attachment.bin>

More information about the Users mailing list