[strongSwan] Disabled rekeying and SA Lifetime

A. Valentin avalentin at marcant.net
Tue Aug 27 11:18:50 CEST 2013 

Hi,

we have some clients that do not like it, if strongswan rekeys. So I disabled it. But now I have the problem that the SA is kept forever:

Security Associations (1 up, 0 connecting):
rw-test1[4]: ESTABLISHED 34 minutes ago, 1.2.3.4[server.loc]...2.3.4.5[client.loc]
rw-test1[4]: IKEv1 SPIs: 403cdf629e13081c_i 5dcfe6d2607e0db1_r*, rekeying disabled
rw-test1[4]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
rw-test1{1}:  REKEYING, TUNNEL, expires in 135 days
rw-test1{1}:   0.0.0.0/0 === 192.168.200.0/24
rw-test1{1}:  INSTALLED, TUNNEL, ESP SPIs: c4aa74b8_i 92b2ae81_o
rw-test1{1}:  AES_CBC_256/HMAC_SHA1_96, 34028 bytes_i (459 pkts, 2058s ago), 22752 bytes_o (430 pkts, 2058s ago), rekeying disabled
rw-test1{1}:   0.0.0.0/0 === 192.168.200.0/24
rw-test1{1}:  INSTALLED, TUNNEL, ESP SPIs: c501696d_i 3a73c1bb_o
rw-test1{1}:  AES_CBC_256/HMAC_SHA1_96, 11612 bytes_i (222 pkts, 7s ago), 10728 bytes_o (205 pkts, 7s ago), rekeying disabled
rw-test1{1}:   0.0.0.0/0 === 192.168.200.0/24

And there will be more and more ESP SPI's.
My configuration:
#######################################################################
conn %default
        rekeymargin=3m
        keyingtries=1
        authby=secret

conn fritz-base
        left=1.2.3.4
        leftsubnet=0.0.0.0/0
        leftid=@server.loc
        rightallowany=yes
        ikelifetime=1h
        lifetime=1h
        ike=aes256-sha1-modp1024
        esp=aes256-sha1-modp1024
        compress=no
        aggressive=yes
        authby=secret
        keyingtries=%forever
        keyexchange=ikev1
        fragmentation=no
        dpdaction=none
        rekey=no

conn rw-test1
        also=fritz-base
        right=client.loc
        rightid=@client.loc
        rightsubnet=192.168.200.0/24
        auto=route
#######################################################################

Perhaps you have an idea how I can force the SA to have a livetime, even if rekeying is disabled.


-- 
Kind regards,
André Valentin
Projektkoordination / Systemadministration

MarcanT GmbH, Ravensberger Str. 10 G, D - 33602 Bielefeld
Fon: +49 (521) 95945-0 | Fax -18
URL: http://www.marcant.net | http://www.global-m2m.com

Geschäftsführer: Thorsten Hojas
Handelsregister: AG Bielefeld, HRB 35827 USt-ID Nr.: DE 190203238

More information about the Users mailing list