[strongSwan] Soft Lifetime set as "0" in SAD in data base
Reshma Begam
reshma.begam at gmail.com
Mon Apr 2 13:22:05 CEST 2012
Hi Andreas,
Ok Pluto daemon is for IKEV1 . But here whatever SADs i have mentioned
they are for charon .
Thanks,
Reshma
On Mon, Apr 2, 2012 at 4:21 PM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:
> Hello Reshma,
>
> the IKEv1 pluto daemon does not set the lifetime fields
> in the Linux kernel:
>
>
> http://www.strongswan.org/uml/testresults/ikev1/net2net-cert/moon.ip.state
>
> whereas the IKEv2 charon daemon does:
>
>
> http://www.strongswan.org/uml/testresults/ikev2/net2net-cert/moon.ip.state
>
> This has historic reasons. pluto goes a long way back to the
> FreeS/WAN project which with KLIPS had an IPsec stack implementation
> of its own. The Phase 2 rekeying is managed by the daemon's userland
> event scheduler.
>
> Our IKEv2 charon daemon subscribes to XFRM events generated by the
> Linux kernel which are triggered by the IPsec state's hard and soft
> limits.
>
> Regards
>
> Andreas
>
> On 02.04.2012 12:13, Reshma Begam wrote:
> > Hi,
> >
> > I had seen soft lifetime as 0 in SAD database and when this can happen?
> > can some one please comment. Following are the lifetime and margin
> > values used in our configuration.
> >
> > ikelifetime (phase1) : 3600s
> > keylife (pahse2) : 1800s
> > rekeymargin : keylifetime/10 = 1800/10
> > rekeyfuzz : 100%
> >
> >
> > Setkey -D
> > ====================
> > # setkey -D
> > source=10.69.211.113 destination=10.69.211.169
> > protocol=esp mode=tunnel spi=171795725(0x0a3d650d)
> > reqid=3(0x00000003)
> > encr-algo=aes-cbc
> > encr-key=d4ce82ab1a1a227042f7223be73992aa
> > auth-algo=hmac-sha1
> > auth-key=9813fe27b461ae4e21aa30b3c8d4d0d5e02e5beb
> > replay-window=32 flags=0x11000000 state=mature seq=1 pid=12331
> > created=2012-03-30/12:59:04 current=2012-03-30/13:20:49
> > elapsed=1305(s)
> > hard-lifetime=1800(s) expiration=2012-03-30/13:29:04
> > * soft-lifetime=0(s) renewal=2012-03-30/12:59:04 *
> > last-use=2012-03-30/12:59:05
> > bytes-processed=3005251 hard-lifebyte=0 soft-lifebyte=0
> > vrfid=0 xvrfid=0
> > source=10.69.211.169 destination=10.69.211.113
> > protocol=esp mode=tunnel spi=3393626443(0xca46a14b)
> > reqid=3(0x00000003)
> > encr-algo=aes-cbc
> > encr-key=33df05abedf86b9a83a66e4f4cb47058
> > auth-algo=hmac-sha1
> > auth-key=bbaa5769f326304efe20cfb978074f1252e09f18
> > replay-window=32 flags=0x10000000 state=mature seq=0 pid=12331
> > created=2012-03-30/12:59:04 current=2012-03-30/13:20:49
> > elapsed=1305(s)
> > hard-lifetime=1800(s) expiration=2012-03-30/13:29:04
> > soft-lifetime=1557(s) renewal=2012-03-30/13:25:01
> > last-use=never
> > bytes-processed=2222776 hard-lifebyte=0 soft-lifebyte=0
> > vrfid=0 xvrfid=0
> >
> >
> > --
> >
> > Regards,
> > Reshma
>
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>
--
Regards,
Reshma
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120402/c4a21a6b/attachment.html>
More information about the Users
mailing list