[strongSwan] Default value of inactivity in ipsec.conf
terry.wang at live.com
Wed Sep 13 06:58:32 CEST 2017
Thanks for the input. Appreciate it.
The behaviour I observe makes sense now.
We have the following in ipsec.conf
So CHILD_SAs get closed after keylife reaches 1 hour mark if there is no traffic sent / received.
On 12 September 2017 at 16:38, Andreas Steffen <andreas.steffen at strongswan.org<mailto:andreas.steffen at strongswan.org>> wrote:
by default no inactivity timer is set. In the default case
the CHILD SA exists until it expires.
On 12.09.2017 08:50, Terry Wang wrote:
I've been assigned to review IPsec VPN deployment configurations
(hundreds of strongSwan 5.3.2).
I want to understand how CHILD_SAs are closed if there is no traffic
sent or received.
Based on: https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
`inactivity` defines the timeout interval after which a CHILD_SA (phase
2 SA) is closed if it does not send or receive any traffic.
I've looked at the source code:
There is no default value assigned to the variable inactivity
(uint32_t). So how does charon (strongSwan) decide when to close a
CHILD_SA if no traffic is sent/received.
Andreas Steffen andreas.steffen at strongswan.org<mailto:andreas.steffen at strongswan.org>
strongSwan - the Open Source VPN Solution! www.strongswan.org<http://www.strongswan.org>
Institute for Networked Solutions
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users