[strongSwan] PSK_with_ideal_keys, charon_crashes_with_8m_keylife_?
encryptos at gmail.com
Mon Mar 21 14:07:02 CET 2011
It is my first post and I would like to thank the strongSwan creators and
all who contribute to this excellent suite of tools.
I've been watching almost all e-mails and I'm impressed by the almost
immediate response of Andreas, Willi, Tobias
I have a couple of questions:
If someone could supply me with a group of a couple of thousands of
cryptographically ideal keys (statistically independent, FIPS 140-2, etc.)
and also guarantee that the keys could be safely distributed to all peers
then if I use these keys as PSK this is what really happens:
The PSK keys will be used to derive all SKEYSEED values SK_x but the actual
mathematical characteristics of the given group of cryptokeys will not be
inherited to the keys used by the CHILD_SA because DH is the base mechanism
for the creation of the "traffic keys".
How could I take advantage of the "given ideal keys" ?
Is it possible to use the DH derived keys as an index to the pool of those
I've been testing the following scenario:
After many hours (14h appx.) of continuous but low traffic (0.01%, that is
about 15 packets/sec),
I received the debug messages:
charon: 08[DMN] thread 10 received 11
charon: 08[DMN] killing ourself, received critical signal
while the configuration is like that:
I've seen the same messages (Bug#614105, regarding version 4.5.0-1)
but I'm using 4.4.1 and was quite stable from the beginning, even under
(rfc2544, tens of peers each with a couple of sub-nets)
Should I blame the short keylife (8m) ?
Is it possible that the rekey happens at 4m (rekeyfuzz=100%) and the time
left is not enough to make all calculations?
I would appreciate any help,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users