[strongSwan] Default value of inactivity in ipsec.conf
Terry Wang
terry.wang at live.com
Wed Sep 13 06:58:32 CEST 2017
Hi Andreas,
Thanks for the input. Appreciate it.
The behaviour I observe makes sense now.
We have the following in ipsec.conf
ikelifetime=86400s
keylife=3600s
So CHILD_SAs get closed after keylife reaches 1 hour mark if there is no traffic sent / received.
Thanks,
Terry
On 12 September 2017 at 16:38, Andreas Steffen <andreas.steffen at strongswan.org<mailto:andreas.steffen at strongswan.org>> wrote:
Hi Terry,
by default no inactivity timer is set. In the default case
the CHILD SA exists until it expires.
Regards
Andreas
On 12.09.2017 08:50, Terry Wang wrote:
Hi folks,
I've been assigned to review IPsec VPN deployment configurations
(hundreds of strongSwan 5.3.2).
I want to understand how CHILD_SAs are closed if there is no traffic
sent or received.
Based on: https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
`inactivity` defines the timeout interval after which a CHILD_SA (phase
2 SA) is closed if it does not send or receive any traffic.
I've looked at the source code:
* src/libcharon/config/child_cfg.c
* src/libcharon/config/child_cfg.h
There is no default value assigned to the variable inactivity
(uint32_t). So how does charon (strongSwan) decide when to close a
CHILD_SA if no traffic is sent/received.
Thanks,
Terry
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org<mailto:andreas.steffen at strongswan.org>
strongSwan - the Open Source VPN Solution! www.strongswan.org<http://www.strongswan.org>
Institute for Networked Solutions
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[INS-HSR]==
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170913/354a0b61/attachment-0001.html>
More information about the Users
mailing list