[strongSwan] Question About the IKE rekey and ESP rekey time setting

David Deng david.live.koo at gmail.com
Wed Jan 5 03:28:05 CET 2011


Hi Martin, Hi All,



Happy new year! I have one question to ask you about the IKE rekey and ESP
rekey time.



According to the description which listed on strongswan official websit, the
rekey time interval will be in the following scope:

1)     IKE_REKEY interval:

[IKERekeyLifetime-2*marginTime,IKERekeyLifetime-marginTime]



2)ESP_REKEY interval:

[IPsecRekeyLifetimeTime-2*marginTime,IPsecRekeyLifetimeTime-marginTime]



But, when I initiate some round testing and found the values are often not
in the scope.



Therefore, First question is: I am wonder what factor influents the time of
rekey (IKE and IPsec).



Secondly, I want to set the time of rekey as fixed value. Now I modified the
code as followed.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Line 771 of stroke_config.c and Line 374 of child_cfg.c of strongswan

modification recode as followed:
1)
    /********************************************************
     * Modification Record:
     * Author: Deng Weiping
     * Reason: Modify the rekey lifetime as the fixed value
     * Original Calculation for rekey lifetime is:
     * rekey_lifetime = rekey_lifetime - rekey.margin -
random()%(rekey.margin * rekey.fuzz/100)
     * After modified, calculation for rekey lifetime is:
     * rekey_lieftime = rekey_lifetime - rekey.margin * rekey.fuzz/100
     * Modification Time: OCT 13, 2010
     **********************************************************
     **********************************************************/
-
    child_cfg = child_cfg_create(
                msg->add_conn.name, msg->add_conn.rekey.ipsec_lifetime,
                msg->add_conn.rekey.ipsec_lifetime -
msg->add_conn.rekey.margin,
                msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100,

                msg->add_conn.me.updown, msg->add_conn.me.hostaccess,
                msg->add_conn.mode, dpd, dpd, msg->add_conn.ipcomp);

+
child_cfg = child_cfg_create(
                msg->add_conn.name, msg->add_conn.rekey.ipsec_lifetime,
                msg->add_conn.rekey.ipsec_lifetime,
                msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100,

                msg->add_conn.me.updown, msg->add_conn.me.hostaccess,
                msg->add_conn.mode, dpd, dpd, msg->add_conn.ipcomp);

2)
        /*************************************************
         * Modification Record:
         * Reason: Rekey lifetime of IPsec
         * Modified Time: OCT 13, 2010
         * Author: Deng Weiping
         *************************************************/
-
    return this->rekeytime - (random() % this->jitter);
+
    return this->rekeytime - this->jitter;

After modification, the rekey lifetime of IPsec will be set as followed:
if fuzz as 100, and then the lifetime of IPsec will be set fixedly as:
---------------------------------------------------------------------
    lifetime = lifetime - margin
---------------------------------------------------------------------

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<



But the above modification can only change the rekey time of IPsec. But the
rekey time of IKE can not be changed to fixed value.



Therefore, the second question, If I want to change the IKE rekey time as
the fixed value, what modification I need to apply.



Thanks in advance!



David Morris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110105/06c5dd76/attachment.html>


More information about the Users mailing list