[strongSwan] Ikelifetime Setting and Reauthentication.

Sun, 27 Jun 2010 21:38:27 -0700 

Dear all,       Recently I am doing some tests about ikelifetime and keylife 
settings in ipsec.conf.I am using version strongswan-4.3.2. client uses EAP 
authentication and security gateway uses public key authentication.In security 
gateway, ikelifetime and keylife are not set.In the following cases, the 
console logs and "ipsec statusall" log are from client.
(1)In client, I set ikelifetime=36000 (10 hours) and set no keylife and then 
initiates the connection to security gateway.
I found that in the tunnel setup process, the log will show the following two 
lines
       scheduling reauthentication in 35355s       maximum IKE_SA lifetime 
35895s
and ipsec statusall will show......................................, EAP 
reauthentication in 2 hours................................, rekeying in 41 
minutes, ...............................
(2)And in the next test, I remove ikelifetime=36000 (10 hours) in ipsec.conf in 
client andremain other settings in client and security gateway. So there is not 
ikelifetime and keylife settings in both client and gateway right now.
The log shows
       scheduling reauthentication in 10203s       maximum IKE_SA lifetime 
10743s
and ipsec statusall will show......................................, EAP 
reauthentication in 2 hours................................, rekeying in 50 
minutes, ...............................
What is the relatio between ikelifetime setting and EAP reauthentication?It 
seems EAP authentication will occur at least every 2 hours (if rekey enbaled) 
even if ikelifetime is greater 2 hours? This is the upper bound of strongswan 
setting?Will the transmitted data packets be lost when IKE_SA rekeying or 
Child_SA rekeying happened?
(3)Following (2) setting (no ikelifetime and keylife in both client and gw), if 
I add reauth=no and rekey=no in both client and security gateway,the log 
"scheduling reauthentication" and "maximum IKE_SA lifetime" will NOT shown on 
the consoleand ipsec statusall will show
......................................, rekeying 
disabled................................, rekeying disabled, 
...............................
In this case, IKE_SA and Child_SA will not rekey forever? So this reduces the 
security level due to the lack of rekeying?
Thank you all. ^______^


      
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to