[strongSwan] Soft Lifetime set as "0" in SAD in data base

Andreas Steffen andreas.steffen at strongswan.org
Mon Apr 2 12:51:40 CEST 2012 

Hello Reshma,

the IKEv1 pluto daemon does not set the lifetime fields
in the Linux kernel:

  http://www.strongswan.org/uml/testresults/ikev1/net2net-cert/moon.ip.state

whereas the IKEv2 charon daemon does:

  http://www.strongswan.org/uml/testresults/ikev2/net2net-cert/moon.ip.state

This has historic reasons. pluto goes a long way back to the
FreeS/WAN project which with KLIPS had an IPsec stack implementation
of its own. The Phase 2 rekeying is managed by the daemon's userland
event scheduler.

Our IKEv2 charon daemon subscribes to XFRM events generated by the
Linux kernel which are triggered by the IPsec state's hard and soft
limits.

Regards

Andreas

On 02.04.2012 12:13, Reshma Begam wrote:
> Hi,
> 
>  I had seen soft lifetime as 0 in SAD database and when this can happen?
> can some one please comment. Following are the lifetime and margin
> values used in our configuration.
> 
> ikelifetime   (phase1)         :  3600s
> keylife   (pahse2)              : 1800s
> rekeymargin                     : keylifetime/10 = 1800/10
> rekeyfuzz                         : 100%
> 
> 
> Setkey -D
> ====================
> # setkey -D
> source=10.69.211.113 destination=10.69.211.169
>         protocol=esp mode=tunnel spi=171795725(0x0a3d650d)
> reqid=3(0x00000003)
>         encr-algo=aes-cbc
>         encr-key=d4ce82ab1a1a227042f7223be73992aa
>         auth-algo=hmac-sha1
>         auth-key=9813fe27b461ae4e21aa30b3c8d4d0d5e02e5beb
>         replay-window=32 flags=0x11000000 state=mature seq=1 pid=12331
>         created=2012-03-30/12:59:04 current=2012-03-30/13:20:49
> elapsed=1305(s)
>         hard-lifetime=1800(s) expiration=2012-03-30/13:29:04
>      *   soft-lifetime=0(s) renewal=2012-03-30/12:59:04 *
>         last-use=2012-03-30/12:59:05
>         bytes-processed=3005251 hard-lifebyte=0 soft-lifebyte=0
>         vrfid=0 xvrfid=0
> source=10.69.211.169 destination=10.69.211.113
>         protocol=esp mode=tunnel spi=3393626443(0xca46a14b)
> reqid=3(0x00000003)
>         encr-algo=aes-cbc
>         encr-key=33df05abedf86b9a83a66e4f4cb47058
>         auth-algo=hmac-sha1
>         auth-key=bbaa5769f326304efe20cfb978074f1252e09f18
>         replay-window=32 flags=0x10000000 state=mature seq=0 pid=12331
>         created=2012-03-30/12:59:04 current=2012-03-30/13:20:49
> elapsed=1305(s)
>         hard-lifetime=1800(s) expiration=2012-03-30/13:29:04
>         soft-lifetime=1557(s) renewal=2012-03-30/13:25:01
>         last-use=never
>         bytes-processed=2222776 hard-lifebyte=0 soft-lifebyte=0
>         vrfid=0 xvrfid=0
> 
> 
> -- 
>  
> Regards,
> Reshma

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4489 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120402/09bf0221/attachment.bin>

More information about the Users mailing list