[strongSwan] soft lifetime for inbound and outbound SA
divya mohan
divzsecondary at gmail.com
Mon Apr 16 15:07:27 CEST 2012
Hi,
I found this information from
https://lists.strongswan.org/pipermail/users/2012-April/007415.html
>> Since the in- and outbound IPsec SA are rekeyed together only one of them needs to trigger it
>> (hard lifetimes are installed for both SAs to ensure they are deleted once they expire).
>>
>> Regards,
>> Tobias
I am using strongswan-4.3.6. I found that soft-lifetimes are being
installed for both inbound and outbound SA (from 'setkey -D' as well
as 'ip -s xfrm state' output).
>From strongswan-4.3.6/src/charon/ sa/child_sa.c, in function install:
--------------------------------------------------------------------------
if (!lifetime->time.jitter && !inbound)
{ /* avoid triggering multiple rekey events */
lifetime->time.rekey = 0;
}
--------------------------------------------------------------------------
I have defined a value for 'rekeymargin' in ipsec.conf. When I print
'lifetime->time.jitter' I get this value.
If I have non-zero value for rekeymargin, above if loop (for setting
lifetime->time.rekey as zero) will never be hit.
[* ! * lifetime->time.jitter will be zero.]
Is this intentional?
This issue is not found with strongswan-4.3.2, in which "inbound ?
soft : 0" is passed to add_sa in the install function.
With strongswan-4.3.2 soft lifetime for outbound SA is zero in setkey
-D output.
Regards,
Divya
More information about the Users
mailing list