[strongSwan] About the CHILD_SA lifetime

Yatong Cui yacui at redhat.com
Mon Oct 25 11:01:39 CEST 2010

Hi all

And actually when verifying with the 'ipsec statusall',i got this output:
Status of IKEv2 charon daemon (strongSwan 4.4.0):
  uptime: 9 seconds, since Oct 25 05:00:08 2010
  worker threads: 7 idle of 16, job queue load: 0, scheduled events: 2
  loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem openssl gcrypt fips-prf xcbc hmac agent gmp attr kernel-netlink socket-raw socket-dynamic farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 dhcp resolve 
Listening IP addresses:
        TAHI:  2001:db8:1:2:20c:29ff:fe45:b04e...2001:db8:1:1:20c:29ff:fe0c:3ed1
        TAHI:   local:  [2001:db8:1:2:20c:29ff:fe45:b04e] uses pre-shared key authentication
        TAHI:   remote: [2001:db8:1:1:20c:29ff:fe0c:3ed1] uses any authentication
        TAHI:   child:  dynamic === dynamic 
Security Associations:
        TAHI[1]: ESTABLISHED 4 seconds ago, 2001:db8:1:2:20c:29ff:fe45:b04e[2001:db8:1:2:20c:29ff:fe45:b04e]...2001:db8:1:1:20c:29ff:fe0c:3ed1[2001:db8:1:1:20c:29ff:fe0c:3ed1]
        TAHI[1]: IKE SPIs: fb9d7d5bf22aa95a_i* 365efe4becc5138d_r, pre-shared key reauthentication in 2 hours
        TAHI[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
        TAHI{1}:  INSTALLED, TRANSPORT, ESP SPIs: cfc120b0_i 3ef6f2db_o
        TAHI{1}:  3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying disabled
        TAHI{1}:   2001:db8:1:2:20c:29ff:fe45:b04e/128 === 2001:db8:1:1:20c:29ff:fe0c:3ed1/128 
The rekeying is actually disabled although i set rekey=yes in the ipsec.conf.
Hope experienced users can help me with this problem.


More information about the Users mailing list