[strongSwan] why is "rekeying disabled" seen in the "ipsec statusall" output?

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Tue May 26 13:49:00 CEST 2015


Hi All

Can somebody enlighten me on this observation of "rekeying disabled" when
it is actually enabled (as by default settings)?

thanks & regards
rajiv



On Sun, May 24, 2015 at 10:23 PM, Rajiv Kulkarni <rajivkulkarni69 at gmail.com>
wrote:

> Hi
>
> I have a network setup for ipsec tunnels as in attached txt doc (also
> contains other info such as syslogs, "ipsec.conf" configs, etc)
>
> Its a setup with a central-gw behind which there is a file-server. There
> are about 3 branches (gw2/gw3/gw4) which establish a site-to-site ipsec
> tunnels to the central-gw and all the pcs behind each of these
> remote-peer-gws send/recieve udp traffic to the file-server behind the
> central-gw
>
> Now my observation on one of the branch-Gws (its seen on all the
> remote-branch-gws) for the output of "ipsec statusall" command is as below:
> ================================
> root at OpenWrt:/etc# ipsec statusall
> Status of IKE charon daemon (strongSwan 5.0.4, Linux 3.2.26, armv7l):
>   uptime: 2 hours, since May 24 14:00:01 2015
>   malloc: sbrk 249856, mmap 0, used 119272, free 130584
>   worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0,
> scheduled: 5
>   loaded plugins: charon aes des sha1 sha2 md5 random nonce x509
> revocation constraints pubkey pkcs1 pgp dnskey pem fips-prf gmp xcbc hmac
> attr kernel-pfkeyc
> Listening IP addresses:
>   169.254.0.1
>   2.2.2.4
>   2006::4
>   192.168.9.1
>   2018::9
> Connections:
>    mainconn1:  2.2.2.4...172.16.10.2  IKEv2, dpddelay=30s
>    mainconn1:   local:  [C=IN, O=strongSwan, CN=gateway3] uses public key
> authentication
>    mainconn1:    cert:  "C=IN, O=strongSwan, CN=gateway3"
>    mainconn1:   remote: [C=IN, O=strongSwan, CN=gateway1] uses public key
> authentication
>    mainconn1:   child:  192.168.9.0/24 === 192.168.10.0/24 TUNNEL,
> dpdaction=restart
> Routed Connections:
>    mainconn1{1}:  ROUTED, TUNNEL
>    mainconn1{1}:   192.168.9.0/24 === 192.168.10.0/24
> Security Associations (1 up, 0 connecting):
>    mainconn1[8]: ESTABLISHED 8 minutes ago, 2.2.2.4[C=IN, O=strongSwan,
> CN=gateway3]...172.16.10.2[C=IN, O=strongSwan, CN=gateway1]
>    mainconn1[8]: IKEv2 SPIs: ffd238335e9f7ba1_i* 1371e5cc4fb46730_r,
> rekeying in 5 minutes
>    mainconn1[8]: IKE proposal:
> AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096
>    mainconn1{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c6dd7c96_i c3b29204_o
>    mainconn1{1}:  AES_CBC_256/HMAC_SHA1_96, 61233208 bytes_i (0 pkts, 522s
> ago), 65250496 bytes_o (0 pkts, 522s ago), rekeying disabled
>    mainconn1{1}:   192.168.9.0/24 === 192.168.10.0/24
> root at OpenWrt:/etc#
> ===========================================
>
> If you refer to the configs used on central-gw and branch-gw3, you will
> see that i have set smaller lifetimes on the branch-gw and a larger
> lifetime on central-gw. This was to ensure that the rekeying is initiated
> from only one end always
>
> Also the dpdaction=clear setting is used only on cental-gw, whereas the
> brach-gws have the setting of "dpdaction=restart"
>
>  I have not changed any default settings for rekey (it is yes by default),
> but then again we see this "rekeying disabled" message. Why is this shown?
> Whats the significance or meaning of this output?  Is my config wrong
> somewhere?
>
> thanks & regards
> rajiv
>
> PS: my suggestion is to please "Textpad" to open/read the attached txt
> file.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150526/c52a7854/attachment.html>


More information about the Users mailing list