[strongSwan] why is "rekeying disabled" seen in the "ipsec statusall" output?
Rajiv Kulkarni
rajivkulkarni69 at gmail.com
Tue May 26 16:44:10 CEST 2015
Hello Tobias,
Thanks for the help and the pointer to the wiki-page with the important info
Yes ofcourse...as you said with the values i have used for lifetime,
rekeytime would be <=0.
So for my specific requirement of ensuring quick rekeys, should i use
rekeymargin as <=3m? so that rekeytime would not become 0?. This is
required for my setup to reproduce a crash which happens after multiple
rekeying, while constant traffic (bidiectional udp and/or tcp streams)
flowing thru the established ipsec tunnel.
Iam trying to ascertain whether the crash is happening during a rekey
collision or due to some other reason. My GW platform is openwrt and iam
running v5.0.4-strongswan
(iam keeping ikelifetime as 30m)
thanks & regards
rajiv
On Tue, May 26, 2015 at 6:09 PM, Tobias Brunner <tobias at strongswan.org>
wrote:
> Hi Rajiv,
>
> Please refer to [1] for the formula how rekey times are calculated.
>
> In your particular case with
>
> > keylife=15m
> > rekeymargin=9m
>
> the rekey time could be <= 0, effectively disabling rekeying.
>
> Regards,
> Tobias
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150526/81e90ba6/attachment.html>
More information about the Users
mailing list