[strongSwan] why I get the wrong rekey time

张元玄 yuanakumazhang at gmail.com
Fri May 20 10:34:08 CEST 2011


I set the IKERekey time as following:

conn %default
	ikelifetime=6m
	keylife=3m
	rekeymargin=1m
	keyingtries=2
	rekeyfuzz =0%

but I found that the message always like the following, this will
cause the stop of data transfer.
1. INFORMATIONAL (deleting IKE_SA)
2. INFORMATIONAL (deleting IKE_SA confirm)
at this time the IPSEC tunnel is destroyed
3. IKE_SA_INIT
4. IKE_SA_INIT
5. IKE_AUTH
6. IKE_AUTH
the new IPSEC tunnel setup.



I think the right sequence of message should be like the
following(defined by rfc 4306 2.8.rekeying), then the data transfer
will not stop.
1. IKE_SA_INIT
2. IKE_SA_INIT
3. IKE_AUTH
4. IKE_AUTH
5. INFORMATIONAL (deleting IKE_SA)
6. INFORMATIONAL (deleting IKE_SA confirm)

anyone can help me.




More information about the Users mailing list