[strongSwan] Regarding Key Generation in strongswan 4.2.8

Martin Willi martin at strongswan.org
Tue Sep 9 10:35:28 CEST 2014


Hi,

> When I change the clock-source, the IPSEC tunnel goes for a toss
> because it seems that the keys are no more aligned between client and
> server!

Unlikely that that unmatched keys come from system time changes. The IKE
protocol does not rely on a common system time (as Kerberos), but
arranges common key material by other means.

More likely is that your SAs expire because of the system time changes.
4.2.8 did use the system time for SA lifetimes, but this has been
changed a long time ago in 4.3.5 to use a monotonic time source. Also
the Linux kernel is known to have some issues with SAD lifetime
management when system time changes.

Regards
Martin



More information about the Users mailing list