Dear Martin, Thanks for your reply. ^______^I have another question:Will the transmitted data packets be lost during IKE_SA rekeying or Child_SA rekeying?We tried to send packets continuously (ping) through the ipsec tunnel, but about every 50 minutes, the link down occurred and then recovered.The rekeying process should not affect the transmitted data packets as there is a time period in which the old SA and the new SA are overlapped.The kernel usually uses the newer SA for outgoing packets, but accepts incoming packets on both SAs, as said in http://www.mail-archive.com/[email protected]/msg00923.htmlWhy will the ping down problem occur?Thanks!LinkUp__ 2010/06/04 22:23:05 1275661385 LinkDown 2010/06/04 23:16:30 1275664590 LinkUp__ 2010/06/04 23:16:31 1275664591 LinkDown 2010/06/05 00:07:42 1275667662 LinkUp__ 2010/06/05 00:07:42 1275667662 LinkDown 2010/06/05 01:01:16 1275670876
--- 10/6/28 (一),Martin Willi <[email protected]> 寫道: 寄件者: Martin Willi <[email protected]> 主旨: Re: [strongSwan] Ikelifetime Setting and Reauthentication. 收件者: "Jessie Liu" <[email protected]> 副本: [email protected] 日期: 2010年6月28日,一,下午3:23 Hi, > In security gateway, ikelifetime and keylife are not set. Not set means: use the default lifetimes. > (2) [...] So there is not ikelifetime and keylife settings in both > client and gateway right now. The gateway still uses the default reauthentication interval. As we support the repeated authentication extension (RFC4478), the lifetime is negotiated to the client. The client therefore does > EAP reauthentication in 2 hours > What is the relatio between ikelifetime setting and EAP > reauthentication? There is no direct relation. But as the EAP reauthentication can be trigger by the initiator only, the gateway sends its lifetime to client. The client then enforces the reauthentication policy configured at the server. > In this case, IKE_SA and Child_SA will not rekey forever? So this > reduces the security level due to the lack of rekeying? Yes and yes. Regards Martin
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
