[strongSwan] Soft Lifetime set as "0" in SAD in data base

Reshma Begam reshma.begam at gmail.com
Thu Apr 12 07:36:46 CEST 2012


Hi Andreas,

Could you please reply to below 0 soft life time query?

We are using charon (ikev2). We are using strongswan version
# /usr/local/6bin/ipsec version
Linux strongSwan
U4.3.1/K2.6.21.7-hrt1-NSN42-WR2.0NSN83.fp_octwnd_56xx_filb_standard

 And we see only outbound SAs are having 0 soft life time where as  inbound
SAs no issues.

Could you please let me know the scenario when this can happen and is there
any patch of strongswan for this issue.

*setkey -D* and *ip xfrm -s state* both shows softlifetime as 0.


Thanks,
Reshma

On Mon, Apr 2, 2012 at 4:52 PM, Reshma Begam <reshma.begam at gmail.com> wrote:

> Hi Andreas,
>
>  Ok Pluto daemon is for IKEV1 . But here whatever SADs i have mentioned
> they are for charon .
>
> Thanks,
> Reshma
>
>
> On Mon, Apr 2, 2012 at 4:21 PM, Andreas Steffen <
> andreas.steffen at strongswan.org> wrote:
>
>> Hello Reshma,
>>
>> the IKEv1 pluto daemon does not set the lifetime fields
>> in the Linux kernel:
>>
>>
>> http://www.strongswan.org/uml/testresults/ikev1/net2net-cert/moon.ip.state
>>
>> whereas the IKEv2 charon daemon does:
>>
>>
>> http://www.strongswan.org/uml/testresults/ikev2/net2net-cert/moon.ip.state
>>
>> This has historic reasons. pluto goes a long way back to the
>> FreeS/WAN project which with KLIPS had an IPsec stack implementation
>> of its own. The Phase 2 rekeying is managed by the daemon's userland
>> event scheduler.
>>
>> Our IKEv2 charon daemon subscribes to XFRM events generated by the
>> Linux kernel which are triggered by the IPsec state's hard and soft
>> limits.
>>
>> Regards
>>
>> Andreas
>>
>> On 02.04.2012 12:13, Reshma Begam wrote:
>> > Hi,
>> >
>> >  I had seen soft lifetime as 0 in SAD database and when this can happen?
>> > can some one please comment. Following are the lifetime and margin
>> > values used in our configuration.
>> >
>> > ikelifetime   (phase1)         :  3600s
>> > keylife   (pahse2)              : 1800s
>> > rekeymargin                     : keylifetime/10 = 1800/10
>> > rekeyfuzz                         : 100%
>> >
>> >
>> > Setkey -D
>> > ====================
>> > # setkey -D
>> > source=10.69.211.113 destination=10.69.211.169
>> >         protocol=esp mode=tunnel spi=171795725(0x0a3d650d)
>> > reqid=3(0x00000003)
>> >         encr-algo=aes-cbc
>> >         encr-key=d4ce82ab1a1a227042f7223be73992aa
>> >         auth-algo=hmac-sha1
>> >         auth-key=9813fe27b461ae4e21aa30b3c8d4d0d5e02e5beb
>> >         replay-window=32 flags=0x11000000 state=mature seq=1 pid=12331
>> >         created=2012-03-30/12:59:04 current=2012-03-30/13:20:49
>> > elapsed=1305(s)
>> >         hard-lifetime=1800(s) expiration=2012-03-30/13:29:04
>> >      *   soft-lifetime=0(s) renewal=2012-03-30/12:59:04 *
>> >         last-use=2012-03-30/12:59:05
>> >         bytes-processed=3005251 hard-lifebyte=0 soft-lifebyte=0
>> >         vrfid=0 xvrfid=0
>> > source=10.69.211.169 destination=10.69.211.113
>> >         protocol=esp mode=tunnel spi=3393626443(0xca46a14b)
>> > reqid=3(0x00000003)
>> >         encr-algo=aes-cbc
>> >         encr-key=33df05abedf86b9a83a66e4f4cb47058
>> >         auth-algo=hmac-sha1
>> >         auth-key=bbaa5769f326304efe20cfb978074f1252e09f18
>> >         replay-window=32 flags=0x10000000 state=mature seq=0 pid=12331
>> >         created=2012-03-30/12:59:04 current=2012-03-30/13:20:49
>> > elapsed=1305(s)
>> >         hard-lifetime=1800(s) expiration=2012-03-30/13:29:04
>> >         soft-lifetime=1557(s) renewal=2012-03-30/13:25:01
>> >         last-use=never
>> >         bytes-processed=2222776 hard-lifebyte=0 soft-lifebyte=0
>> >         vrfid=0 xvrfid=0
>> >
>> >
>> > --
>> >
>> > Regards,
>> > Reshma
>>
>> ======================================================================
>> Andreas Steffen                         andreas.steffen at strongswan.org
>> strongSwan - the Linux VPN Solution!                www.strongswan.org
>> Institute for Internet Technologies and Applications
>> University of Applied Sciences Rapperswil
>> CH-8640 Rapperswil (Switzerland)
>> ===========================================================[ITA-HSR]==
>>
>>
>
>
> --
>
> Regards,
> Reshma
>
>


-- 

Regards,
Reshma
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120412/67897565/attachment.html>


More information about the Users mailing list