[strongSwan] rekeying IKEv2 SA
Mike Taylor
mtaylor at unicoi.com
Sat Jul 1 00:04:10 CEST 2017
Hi Tobias,
Indeed I was able to get StrongSwan to rekey the IKEv2 SA by adding
ike=3des-sha1-modp1024
as in
conn %default
ikelifetime=12m
lifetime=1h
margintime=3m
keyexchange=ikev2
authby=secret
reauth=no
rekey=yes
ike=3des-sha1-modp1024
It is interesting to note that with that change one might think that it would
only include this suite in the proposed transforms in the CREATE_CHILD_SA
request but it offers 3 separate proposals each with a large number of transforms.
In any case, for my purposes it is OK but it seems like a bug given that the original
error was a complaint about an elliptic curve group not being available.
Regards,
Mike
-----Original Message-----
From: Tobias Brunner [mailto:tobias at strongswan.org]
Sent: Friday, June 30, 2017 12:07 AM
To: Mike Taylor; users at lists.strongswan.org
Subject: Re: [strongSwan] rekeying IKEv2 SA
Hi Mike,
> ikelifetime=6m
> margintime=3m
Not ideal as that, depending on rekeyfuzz and the randomization, could
result in rekeying getting disabled (see the formula on the ExpiryRekey
page).
> If I change reauth=yes to reauth=no
You definitely have to disable reauth to use rekeying, otherwise the
IKE_SA is reauthenticated.
> then it gets worse and periodically
> Charon sends an empty (no payloads) CREATE_CHILD_SA packet which
> the othe IKE naturally rejects as invalid syntax.
Check the logs.
> I tried to follow
> https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey.
> But I find it somewhat confusing about what goes where.
What did you find confusing?
Regards,
Tobias
More information about the Users
mailing list