[strongSwan] About the CHILD_SA lifetime

Yatong Cui yacui at redhat.com
Mon Oct 25 10:49:20 CEST 2010 

Hi all,

I'm a little bit confused about the how to change the CHILD_SA lifetime on strongswan.

I'm testing the inter-operation between the openswan and strongswan.

In this test case, it defines the CHILD_SA lifetime of openswan is 300s. and strongswan 30s. Strongswan then initiates the connection and send continuous echo packets to the openswan side.

>From the ipsec.conf man page,i think it should be the 'lifetime' parameter defines the CHILD_SA lifetime.

Actually here is the full configuration:
---------------------------------------------------------------------------------
OPENSWAN SIDE
=============
config setup
        crlcheckinterval="180"
        strictcrlpolicy=no
        protostack=netkey        
        plutodebug=all

conn %default
        salifetime=300s
        ike=3des-sha1;modp1024
        phase2alg=3des-sha1
        authby=secret
        ikev2=yes
        rekey=yes
        keyingtries=1

conn TAHI
        connaddrfamily=ipv6
        type=transport
        left=2001:db8:1:1:20c:29ff:fe0c:3ed1
        right=2001:db8:1:2:20c:29ff:fe45:b04e
        leftid=2001:db8:1:1:20c:29ff:fe0c:3ed1
        rightid=2001:db8:1:2:20c:29ff:fe45:b04e
        auto=add

STRONGSWAN SIDE
===============
config setup
        crlcheckinterval="180"
        strictcrlpolicy=no
        charonstart=yes

conn %default
        lifetime=30s
        keyingtries=1
        ike=aes-sha1-modp1024
        esp=3des-sha1
        authby=secret
        keyexchange=ikev2
        rekey=yes

conn TAHI
        right=2001:db8:1:1:20c:29ff:fe0c:3ed1
        left=2001:db8:1:2:20c:29ff:fe45:b04e
        rightid=2001:db8:1:1:20c:29ff:fe0c:3ed1
        leftid=2001:db8:1:2:20c:29ff:fe45:b04e
        type=transport
        compress=no
        auto=add
----------------------------------------------------------------------------------------

After successfully establishing the connection,i send continuous echo from the strongswan side.

The SPI of the echo packets,i think, should be changed after 30s and there should be another 4 isakmp packets(init,init ack,auth,auth ack) if perfect forward secrecy is enabled.

yet i cannot observe the expected results.

What other configuration parameter shall i change to meet this test requirement? Thanks a lot for your reply in advance.

Thanks,
Frank

More information about the Users mailing list