[strongSwan] Question About the IKE rekey and ESP rekey time setting
david.live.koo at gmail.com
Thu Jan 6 02:58:25 CET 2011
Thank you for you detail information!
2011/1/5 Martin Willi <martin at strongswan.org>
> Hi David,
> > According to the description which listed on strongswan official
> > websit, the rekey time interval will be in the following scope:
> > 1) IKE_REKEY interval:
> > [IKERekeyLifetime-2*marginTime,IKERekeyLifetime-marginTime]
> > 2）ESP_REKEY interval:
> > [IPsecRekeyLifetimeTime-2*marginTime,IPsecRekeyLifetimeTime-marginTime]
> I don't know to which description you are referring to, but  is more
> rekeytime = lifetime - (margintime + random(0, margintime * rekeyfuzz))
> > Secondly, I want to set the time of rekey as fixed value.
> For a fixed ESP rekeying after 10s, and a fixed IKE rekeying after 20s,
> It is save to set the fuzz to zero, but you always should have a margin.
> Otherwise the rekey event collides with the critical timeout where the
> SA gets deleted.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users