[strongSwan] why is "rekeying disabled" seen in the "ipsec statusall" output?

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Tue May 26 16:44:10 CEST 2015

Hello Tobias,

Thanks for the help and the pointer to the wiki-page with the important info

Yes ofcourse...as you said with the values i have used for lifetime,
rekeytime would be <=0.

So for my specific requirement of ensuring quick rekeys, should i use
rekeymargin as <=3m? so that rekeytime would not become 0?. This is
required for my setup to reproduce a crash which happens after multiple
rekeying, while constant traffic (bidiectional udp and/or tcp streams)
flowing thru the established ipsec tunnel.

Iam trying to ascertain whether the crash is happening during a rekey
collision or due to some other reason. My GW platform is openwrt and iam
running v5.0.4-strongswan

(iam keeping ikelifetime as 30m)

thanks & regards

On Tue, May 26, 2015 at 6:09 PM, Tobias Brunner <tobias at strongswan.org>

> Hi Rajiv,
> Please refer to [1] for the formula how rekey times are calculated.
> In your particular case with
> > keylife=15m
> > rekeymargin=9m
> the rekey time could be <= 0, effectively disabling rekeying.
> Regards,
> Tobias
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150526/81e90ba6/attachment.html>

More information about the Users mailing list