[strongSwan] soft lifetime for inbound and outbound SA

divya mohan divzsecondary at gmail.com
Mon Apr 16 15:07:27 CEST 2012


I found this information from

>> Since the in- and outbound IPsec SA are rekeyed together only one of them needs to trigger it
>> (hard lifetimes are installed for both SAs to ensure they are deleted once they expire).
>> Regards,
>> Tobias

I am using strongswan-4.3.6. I found that soft-lifetimes are being
installed for both inbound and outbound SA (from 'setkey -D'  as well
as 'ip -s xfrm state' output).

>From strongswan-4.3.6/src/charon/ sa/child_sa.c, in function install:


    if (!lifetime->time.jitter && !inbound)
    {   /* avoid triggering multiple rekey events */
        lifetime->time.rekey = 0;

I have defined a value for  'rekeymargin' in ipsec.conf. When I print
'lifetime->time.jitter' I get this value.

If I have non-zero value for rekeymargin, above if loop (for setting
lifetime->time.rekey as zero) will never be hit.
[* ! * lifetime->time.jitter will be zero.]

Is this intentional?

This issue is not found with strongswan-4.3.2, in which "inbound ?
soft : 0" is passed to add_sa in the install function.
With strongswan-4.3.2 soft lifetime for outbound SA is zero in setkey
-D output.


More information about the Users mailing list