[strongSwan] possible bug with margin* and life* options
Christoph Anton Mitterer
calestyo at scientia.net
Tue Oct 5 22:38:35 CEST 2010
Hi.
I was playing around today with the margin* and life* options.
I did some testing whether there are interruptions during the time where
the key is renegotiated (any packages are lost)
(btw: Is this technically prevented?)
1) Is it true that when I e.g. specify both:
margintime = ...
marginbytes = ...
that it works like an OR, meaning the first condition that is met leads
to e.g. renegotiation?
Same with the life* options
2) Now the possible bug, mich might be at least something missing in the
documentation ;)
For the tests I set:
margintime = 9m (default)
lifetime = 1h (default)
and in addition:
marginbyte = 1000
lifebytes = 1000
The I pinged between the two hosts.
When the 1000 bytes were reached, the tunnel was lost (not the IKE
connection) and was never renegotiated.
Although I've had all those things like: keyingtries = %forever,
dpdaction = restart, rekey = yes....
This also happens when marginbyte is quite close to lifebytes.
And I guess it's the same for the *time and *packets options.
Cheers,
Chris :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5677 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101005/e6f1aa23/attachment.bin>
More information about the Users
mailing list