[strongSwan] About the CHILD_SA lifetime
martin at strongswan.org
Mon Oct 25 12:03:50 CEST 2010
> conn %default
lifetime specifies the maximum time before the SA gets deleted, not when
it gets rekeyed (man ipsec.conf).
You additionally have to define a margintime and the rekeyfuzz, see 
To rekey in 30s, try:
This will trigger a rekey after 30s, and drops the SA if it is unable to
rekey in 40s.
More information about the Users