Hi David, > According to the description which listed on strongswan official > websit, the rekey time interval will be in the following scope: > > 1) IKE_REKEY interval: > [IKERekeyLifetime-2*marginTime,IKERekeyLifetime-marginTime] > > 2)ESP_REKEY interval: > [IPsecRekeyLifetimeTime-2*marginTime,IPsecRekeyLifetimeTime-marginTime]
I don't know to which description you are referring to, but [1] is more correct: rekeytime = lifetime - (margintime + random(0, margintime * rekeyfuzz)) > Secondly, I want to set the time of rekey as fixed value. For a fixed ESP rekeying after 10s, and a fixed IKE rekeying after 20s, try: ikelifetime=30s lifetime=20s rekeymargin=10s rekeyfuzz=0% It is save to set the fuzz to zero, but you always should have a margin. Otherwise the rekey event collides with the critical timeout where the SA gets deleted. Regards Martin [1]http://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
