Hi Martin, Thank you for you detail information!
Cheers, David Morris 2011/1/5 Martin Willi <[email protected]> > Hi David, > > > According to the description which listed on strongswan official > > websit, the rekey time interval will be in the following scope: > > > > 1) IKE_REKEY interval: > > [IKERekeyLifetime-2*marginTime,IKERekeyLifetime-marginTime] > > > > 2)ESP_REKEY interval: > > [IPsecRekeyLifetimeTime-2*marginTime,IPsecRekeyLifetimeTime-marginTime] > > I don't know to which description you are referring to, but [1] is more > correct: > > rekeytime = lifetime - (margintime + random(0, margintime * rekeyfuzz)) > > > Secondly, I want to set the time of rekey as fixed value. > > For a fixed ESP rekeying after 10s, and a fixed IKE rekeying after 20s, > try: > > ikelifetime=30s > lifetime=20s > rekeymargin=10s > rekeyfuzz=0% > > It is save to set the fuzz to zero, but you always should have a margin. > Otherwise the rekey event collides with the critical timeout where the > SA gets deleted. > > Regards > Martin > > [1]http://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey > >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
