[strongSwan] rekeying IKEv2 SA
Mike Taylor
mtaylor at unicoi.com
Fri Jun 30 02:46:58 CEST 2017
Hi,
I have been trying to get StrongSwan 5.5.3 to rekey the IKEv2 SA, as opposed
to the IPsec SA.
So far no success. Can someone provide an example ipsec.conf and/or other
conf file that
shows correct configuration? I tried in ipsec.conf:
conn %default
ikelifetime=6m
margintime=3m
keylife=6m
keyingtries=1
keyexchange=ikev2
authby=secret
reauth=yes
rekey=yes
I see periodic rekeying of the IPsec SA but not the IKEv2 SA.
If I change reauth=yes to reauth=no then it gets worse and periodically
Charon sends an empty (no payloads) CREATE_CHILD_SA packet which
the othe IKE naturally rejects as invalid syntax.
I tried to follow
https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey.
But I find it somewhat confusing about what goes where. I tried enabling
rekey_time
in swanctl.conf as well and got the same problem with empty CREATE_CHILD_SA.
Regards,
Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170629/dd597b52/attachment.html>
More information about the Users
mailing list