[strongSwan] soft lifetime for inbound and outbound SA

Tobias Brunner tobias at strongswan.org
Mon Apr 16 15:34:37 CEST 2012

Hi Divya,

>>From strongswan-4.3.6/src/charon/ sa/child_sa.c, in function install:
> --------------------------------------------------------------------------
>     if (!lifetime->time.jitter && !inbound)
>     {   /* avoid triggering multiple rekey events */
>         lifetime->time.rekey = 0;
>     }
> --------------------------------------------------------------------------
> I have defined a value for  'rekeymargin' in ipsec.conf. When I print
> 'lifetime->time.jitter' I get this value.
> If I have non-zero value for rekeymargin, above if loop (for setting
> lifetime->time.rekey as zero) will never be hit.
> [* ! * lifetime->time.jitter will be zero.]
> Is this intentional?

Yes, due to the jitter the rekey times for the in- and outbound SA will
differ, as each call to child_cfg_t.get_lifetime() will result in
randomly chosen values (see [1] for the formula).  By setting a
soft-lifetime for both SAs, the one with the lower value will trigger
the rekey.
This was not done in releases before 4.3.5, where only the inbound SA
was installed with a soft-lifetime (jitter was applied more statically
back then).  With the current solution it could theoretically happen
that the rekey times for both SAs are equal but depending on the values
chosen for lifetime/rekeymargin/rekeyfuzz the range of possible values
is high enough and this result quite unlikely.


[1] http://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey

More information about the Users mailing list