[strongSwan] Soft Lifetime set as "0" in SAD in data base

Reshma Begam reshma.begam at gmail.com
Mon Apr 2 13:22:05 CEST 2012


Hi Andreas,

 Ok Pluto daemon is for IKEV1 . But here whatever SADs i have mentioned
they are for charon .

Thanks,
Reshma

On Mon, Apr 2, 2012 at 4:21 PM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:

> Hello Reshma,
>
> the IKEv1 pluto daemon does not set the lifetime fields
> in the Linux kernel:
>
>
> http://www.strongswan.org/uml/testresults/ikev1/net2net-cert/moon.ip.state
>
> whereas the IKEv2 charon daemon does:
>
>
> http://www.strongswan.org/uml/testresults/ikev2/net2net-cert/moon.ip.state
>
> This has historic reasons. pluto goes a long way back to the
> FreeS/WAN project which with KLIPS had an IPsec stack implementation
> of its own. The Phase 2 rekeying is managed by the daemon's userland
> event scheduler.
>
> Our IKEv2 charon daemon subscribes to XFRM events generated by the
> Linux kernel which are triggered by the IPsec state's hard and soft
> limits.
>
> Regards
>
> Andreas
>
> On 02.04.2012 12:13, Reshma Begam wrote:
> > Hi,
> >
> >  I had seen soft lifetime as 0 in SAD database and when this can happen?
> > can some one please comment. Following are the lifetime and margin
> > values used in our configuration.
> >
> > ikelifetime   (phase1)         :  3600s
> > keylife   (pahse2)              : 1800s
> > rekeymargin                     : keylifetime/10 = 1800/10
> > rekeyfuzz                         : 100%
> >
> >
> > Setkey -D
> > ====================
> > # setkey -D
> > source=10.69.211.113 destination=10.69.211.169
> >         protocol=esp mode=tunnel spi=171795725(0x0a3d650d)
> > reqid=3(0x00000003)
> >         encr-algo=aes-cbc
> >         encr-key=d4ce82ab1a1a227042f7223be73992aa
> >         auth-algo=hmac-sha1
> >         auth-key=9813fe27b461ae4e21aa30b3c8d4d0d5e02e5beb
> >         replay-window=32 flags=0x11000000 state=mature seq=1 pid=12331
> >         created=2012-03-30/12:59:04 current=2012-03-30/13:20:49
> > elapsed=1305(s)
> >         hard-lifetime=1800(s) expiration=2012-03-30/13:29:04
> >      *   soft-lifetime=0(s) renewal=2012-03-30/12:59:04 *
> >         last-use=2012-03-30/12:59:05
> >         bytes-processed=3005251 hard-lifebyte=0 soft-lifebyte=0
> >         vrfid=0 xvrfid=0
> > source=10.69.211.169 destination=10.69.211.113
> >         protocol=esp mode=tunnel spi=3393626443(0xca46a14b)
> > reqid=3(0x00000003)
> >         encr-algo=aes-cbc
> >         encr-key=33df05abedf86b9a83a66e4f4cb47058
> >         auth-algo=hmac-sha1
> >         auth-key=bbaa5769f326304efe20cfb978074f1252e09f18
> >         replay-window=32 flags=0x10000000 state=mature seq=0 pid=12331
> >         created=2012-03-30/12:59:04 current=2012-03-30/13:20:49
> > elapsed=1305(s)
> >         hard-lifetime=1800(s) expiration=2012-03-30/13:29:04
> >         soft-lifetime=1557(s) renewal=2012-03-30/13:25:01
> >         last-use=never
> >         bytes-processed=2222776 hard-lifebyte=0 soft-lifebyte=0
> >         vrfid=0 xvrfid=0
> >
> >
> > --
> >
> > Regards,
> > Reshma
>
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>


-- 

Regards,
Reshma
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120402/c4a21a6b/attachment.html>


More information about the Users mailing list