[strongSwan] Question About the IKE rekey and ESP rekey time setting
Martin Willi
martin at strongswan.org
Wed Jan 5 10:34:59 CET 2011
Hi David,
> According to the description which listed on strongswan official
> websit, the rekey time interval will be in the following scope:
>
> 1) IKE_REKEY interval:
> [IKERekeyLifetime-2*marginTime,IKERekeyLifetime-marginTime]
>
> 2)ESP_REKEY interval:
> [IPsecRekeyLifetimeTime-2*marginTime,IPsecRekeyLifetimeTime-marginTime]
I don't know to which description you are referring to, but [1] is more
correct:
rekeytime = lifetime - (margintime + random(0, margintime * rekeyfuzz))
> Secondly, I want to set the time of rekey as fixed value.
For a fixed ESP rekeying after 10s, and a fixed IKE rekeying after 20s,
try:
ikelifetime=30s
lifetime=20s
rekeymargin=10s
rekeyfuzz=0%
It is save to set the fuzz to zero, but you always should have a margin.
Otherwise the rekey event collides with the critical timeout where the
SA gets deleted.
Regards
Martin
[1]http://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey
More information about the Users
mailing list