[strongSwan] Default value of inactivity in ipsec.conf

Terry Wang terry.wang at live.com
Wed Sep 13 06:58:32 CEST 2017

Hi Andreas,

Thanks for the input. Appreciate it.

The behaviour I observe makes sense now.

We have the following in ipsec.conf


So CHILD_SAs get closed after keylife reaches 1 hour mark if there is no traffic sent / received.


On 12 September 2017 at 16:38, Andreas Steffen <andreas.steffen at strongswan.org<mailto:andreas.steffen at strongswan.org>> wrote:
Hi Terry,

by default no inactivity timer is set. In the default case
the CHILD SA exists until it expires.



On 12.09.2017 08:50, Terry Wang wrote:
Hi folks,

I've been assigned to review IPsec VPN deployment configurations
(hundreds of strongSwan 5.3.2).

I want to understand how CHILD_SAs are closed if there is no traffic
sent or received.

Based on: https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection

`inactivity` defines the timeout interval after which a CHILD_SA (phase
2 SA) is closed if it does not send or receive any traffic.

I've looked at the source code:

  * src/libcharon/config/child_cfg.c
  * src/libcharon/config/child_cfg.h

There is no default value assigned to the variable inactivity
(uint32_t). So how does charon (strongSwan) decide when to close a
CHILD_SA if no traffic is sent/received.


Andreas Steffen                         andreas.steffen at strongswan.org<mailto:andreas.steffen at strongswan.org>
strongSwan - the Open Source VPN Solution!          www.strongswan.org<http://www.strongswan.org>
Institute for Networked Solutions
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170913/354a0b61/attachment-0001.html>

More information about the Users mailing list