[strongSwan] Question About the IKE rekey and ESP rekey time setting
David Deng
david.live.koo at gmail.com
Thu Jan 6 02:58:25 CET 2011
Hi Martin,
Thank you for you detail information!
Cheers,
David Morris
2011/1/5 Martin Willi <martin at strongswan.org>
> Hi David,
>
> > According to the description which listed on strongswan official
> > websit, the rekey time interval will be in the following scope:
> >
> > 1) IKE_REKEY interval:
> > [IKERekeyLifetime-2*marginTime,IKERekeyLifetime-marginTime]
> >
> > 2)ESP_REKEY interval:
> > [IPsecRekeyLifetimeTime-2*marginTime,IPsecRekeyLifetimeTime-marginTime]
>
> I don't know to which description you are referring to, but [1] is more
> correct:
>
> rekeytime = lifetime - (margintime + random(0, margintime * rekeyfuzz))
>
> > Secondly, I want to set the time of rekey as fixed value.
>
> For a fixed ESP rekeying after 10s, and a fixed IKE rekeying after 20s,
> try:
>
> ikelifetime=30s
> lifetime=20s
> rekeymargin=10s
> rekeyfuzz=0%
>
> It is save to set the fuzz to zero, but you always should have a margin.
> Otherwise the rekey event collides with the critical timeout where the
> SA gets deleted.
>
> Regards
> Martin
>
> [1]http://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110106/e9dd9b66/attachment.html>
More information about the Users
mailing list