[strongSwan] About the CHILD_SA lifetime
Martin Willi
martin at strongswan.org
Mon Oct 25 12:03:50 CEST 2010
> conn %default
> lifetime=30s
lifetime specifies the maximum time before the SA gets deleted, not when
it gets rekeyed (man ipsec.conf).
You additionally have to define a margintime and the rekeyfuzz, see [1]
for details.
To rekey in 30s, try:
lifetime=40s
margintime=10s
rekeyfuzz=0%
This will trigger a rekey after 30s, and drops the SA if it is unable to
rekey in 40s.
Regards
Martin
[1]http://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey
More information about the Users
mailing list