[strongSwan] why is "rekeying disabled" seen in the "ipsec statusall" output?
rajivkulkarni69 at gmail.com
Tue May 26 16:44:10 CEST 2015
Thanks for the help and the pointer to the wiki-page with the important info
Yes ofcourse...as you said with the values i have used for lifetime,
rekeytime would be <=0.
So for my specific requirement of ensuring quick rekeys, should i use
rekeymargin as <=3m? so that rekeytime would not become 0?. This is
required for my setup to reproduce a crash which happens after multiple
rekeying, while constant traffic (bidiectional udp and/or tcp streams)
flowing thru the established ipsec tunnel.
Iam trying to ascertain whether the crash is happening during a rekey
collision or due to some other reason. My GW platform is openwrt and iam
(iam keeping ikelifetime as 30m)
thanks & regards
On Tue, May 26, 2015 at 6:09 PM, Tobias Brunner <tobias at strongswan.org>
> Hi Rajiv,
> Please refer to  for the formula how rekey times are calculated.
> In your particular case with
> > keylife=15m
> > rekeymargin=9m
> the rekey time could be <= 0, effectively disabling rekeying.
>  https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users