Hello Andreas, I have been trying to setup rekeying of both IKE SA annd IPSEC SA. But there is some confusion as to what is really the correct behaviour. I understand that there some attributes which need to be set :
ikelifetime lifetime rekeymargin rekeyfuzz rekey reauth We have a requirement to start rekeying at 80% of the time given in ikelifetime | lifetime. I am not sure as to how to get this done. Can ikelifetime and lifetime values be close ? Or they have to be far apart ? Also, can you please tell under what scenarios rekeyfuzz, rekey and reauth are used ? Whether these rekeying values have to be same on both the peers ? Or they can be differenet ? If they are different, do the peers agree to a common value ? Please explain this with respect to IKEv1 and IKEv2. I tried with the below parameters and this is what I have got. ikelifetime=24h lifetime=10m rekeymargin=2m FBM# ipsec status 000 "host-host": 10.10.10.0/24===10.10.10.2[C=FI<http://10.10.10.0/24===10.10.10.2%5BC=FI>, O=Insta, CN=Test]...10.10.10.5[C=FI, O=Insta, CN=Test]===10.10.10.0/24; ero2 000 "host-host": newest ISAKMP SA: #1; newest IPsec SA: #2; 000 000 #2: "host-host" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 377s; newest IPSEC; eroute owner 000 #2: "host-host" esp.fb533...@10.10.10.5 (0 bytes) esp.dce7c...@10.10.10.2 (0 bytes); tunnel 000 #1: "host-host" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 86121s; newest ISAKMP *This is taken as soon as the IPSEC SA was established. From these I understand IPSEC SA is going to replaced in 377s and ISAKMP SA in 86121s. But these values on the other peer were different even though I have given the same rekeying values. * FBM# ipsec status 000 "host-host": 10.10.10.0/24===10.10.10.2[C=FI<http://10.10.10.0/24===10.10.10.2%5BC=FI>, O=Insta, CN=Test]...10.10.10.5[C=FI, O=Insta, CN=Test]===10.10.10.0/24; ero3 000 "host-host": newest ISAKMP SA: #1; newest IPsec SA: #3; 000 000 #3: "host-host" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 385s; newest IPSEC; eroute owner 000 #3: "host-host" esp.d31d7...@10.10.10.5 (0 bytes) esp.bab02...@10.10.10.2 (0 bytes); tunnel 000 #2: "host-host" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_EXPIRE in 164s 000 #2: "host-host" esp.fb533...@10.10.10.5 (0 bytes) esp.dce7c...@10.10.10.2 (0 bytes); tunnel 000 #1: "host-host" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 85740s; newest ISAKMP *This I took after the first IPSEC SA which was established the time of 377s was elapsed. A new IPSec SA was established with the time showing 385s. The previous IPSec SA says expire in 164s. *Now, I am not sure how these values are being calculated. Would it be possible for you to put working logs for rekeying in wiki.strongswan so that i can refer. btw, i am using 4.3.4 ver strongswan. I hope there are no patches related to rekeying for this version. If there are, please let me know. I am sorry to put up some many questions. Thanks & Regards, Ashish. _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
