[strongSwan] Question About the IKE rekey and ESP rekey time setting

Martin Willi martin at strongswan.org
Wed Jan 5 10:34:59 CET 2011


Hi David,

> According to the description which listed on strongswan official
> websit, the rekey time interval will be in the following scope:
> 
> 1)     IKE_REKEY interval:
> [IKERekeyLifetime-2*marginTime,IKERekeyLifetime-marginTime]
> 
> 2)ESP_REKEY interval:
> [IPsecRekeyLifetimeTime-2*marginTime,IPsecRekeyLifetimeTime-marginTime] 

I don't know to which description you are referring to, but [1] is more
correct:

rekeytime = lifetime - (margintime + random(0, margintime * rekeyfuzz))

> Secondly, I want to set the time of rekey as fixed value.

For a fixed ESP rekeying after 10s, and a fixed IKE rekeying after 20s,
try:

   ikelifetime=30s
   lifetime=20s
   rekeymargin=10s
   rekeyfuzz=0%

It is save to set the fuzz to zero, but you always should have a margin.
Otherwise the rekey event collides with the critical timeout where the
SA gets deleted.

Regards
Martin

[1]http://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey





More information about the Users mailing list