[strongSwan] Responder only behavior

Emeric POUPON emeric.poupon at stormshield.eu
Thu Nov 27 15:33:24 CET 2014


Hello,

I want to make my gateway "responder only": I do not want it to initiate negotiations nor renegotiations.

I set in ipsec.conf:

conn test
...
	type=tunnel
	leftauth=psk
	rightauth=psk
	keyexchange=ikev2
	auto=add
	lifetime=3600
	ikelifetime=1200
	rekeymargin=60
	dpdaction=clear
	dpddelay=30

If I kill the remote gw, the DPD does the job and clears the generated SA and SP. Good!
If I disable the DPD (dpddelay=0) and I kill the remote gw, the SA is being renegotiated (rekeying process) at the end of the lifetime.
Since I only want to act as a responder, this is not OK.

Then I saw rekey in the doc:

"  rekey = yes | no

whether a connection should be renegotiated when it is about to expire. The two ends need not agree, but
while a value of no prevents the daemon from requesting renegotiation, it does not prevent responding
to renegotiation requested from the other end, so no will be largely ineffective unless both ends agree on it.
Also see reauth."

This seems to be what I want. But if set that option to "no", I have SAs and SPs that live in the kernel forever (both hard ans soft lifetime set to 0).
Furthermore the IKE SA seems to live forever too:
Security Associations (1 up, 0 connecting):
site_to_site_001[1]: ESTABLISHED 35 minutes ago, XXX[XXX]...YYY[YYY]
site_to_site_001[1]: IKEv2 SPIs: c7dcc38e3acfcd5f_i 53d3c2f9cea553ec_r*, rekeying disabled
site_to_site_001[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
site_to_site_001{1}:  INSTALLED, TUNNEL, ESP SPIs: c6e6d402_i c5f08b9e_o
site_to_site_001{1}:  AES_CBC_128/HMAC_SHA1_96, 588 bytes_i (7 pkts, 1965s ago), 1064 bytes_o (7 pkts, 1965s ago), rekeying disabled
site_to_site_001{1}:   192.168.229.0/24 === 192.168.231.0/24 
(ikelifetime was set to 1200s = 20 minutes)

I guess I am missing something?

Best Regards,
Emeric




More information about the Users mailing list