[strongSwan] rekeying IKEv2 SA
Tobias Brunner
tobias at strongswan.org
Fri Jun 30 09:07:21 CEST 2017
Hi Mike,
> ikelifetime=6m
> margintime=3m
Not ideal as that, depending on rekeyfuzz and the randomization, could
result in rekeying getting disabled (see the formula on the ExpiryRekey
page).
> If I change reauth=yes to reauth=no
You definitely have to disable reauth to use rekeying, otherwise the
IKE_SA is reauthenticated.
> then it gets worse and periodically
> Charon sends an empty (no payloads) CREATE_CHILD_SA packet which
> the othe IKE naturally rejects as invalid syntax.
Check the logs.
> I tried to follow
> https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey.
> But I find it somewhat confusing about what goes where.
What did you find confusing?
Regards,
Tobias
More information about the Users
mailing list