Hi All Can somebody enlighten me on this observation of "rekeying disabled" when it is actually enabled (as by default settings)?
thanks & regards rajiv On Sun, May 24, 2015 at 10:23 PM, Rajiv Kulkarni <[email protected]> wrote: > Hi > > I have a network setup for ipsec tunnels as in attached txt doc (also > contains other info such as syslogs, "ipsec.conf" configs, etc) > > Its a setup with a central-gw behind which there is a file-server. There > are about 3 branches (gw2/gw3/gw4) which establish a site-to-site ipsec > tunnels to the central-gw and all the pcs behind each of these > remote-peer-gws send/recieve udp traffic to the file-server behind the > central-gw > > Now my observation on one of the branch-Gws (its seen on all the > remote-branch-gws) for the output of "ipsec statusall" command is as below: > ================================ > root@OpenWrt:/etc# ipsec statusall > Status of IKE charon daemon (strongSwan 5.0.4, Linux 3.2.26, armv7l): > uptime: 2 hours, since May 24 14:00:01 2015 > malloc: sbrk 249856, mmap 0, used 119272, free 130584 > worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0, > scheduled: 5 > loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 > revocation constraints pubkey pkcs1 pgp dnskey pem fips-prf gmp xcbc hmac > attr kernel-pfkeyc > Listening IP addresses: > 169.254.0.1 > 2.2.2.4 > 2006::4 > 192.168.9.1 > 2018::9 > Connections: > mainconn1: 2.2.2.4...172.16.10.2 IKEv2, dpddelay=30s > mainconn1: local: [C=IN, O=strongSwan, CN=gateway3] uses public key > authentication > mainconn1: cert: "C=IN, O=strongSwan, CN=gateway3" > mainconn1: remote: [C=IN, O=strongSwan, CN=gateway1] uses public key > authentication > mainconn1: child: 192.168.9.0/24 === 192.168.10.0/24 TUNNEL, > dpdaction=restart > Routed Connections: > mainconn1{1}: ROUTED, TUNNEL > mainconn1{1}: 192.168.9.0/24 === 192.168.10.0/24 > Security Associations (1 up, 0 connecting): > mainconn1[8]: ESTABLISHED 8 minutes ago, 2.2.2.4[C=IN, O=strongSwan, > CN=gateway3]...172.16.10.2[C=IN, O=strongSwan, CN=gateway1] > mainconn1[8]: IKEv2 SPIs: ffd238335e9f7ba1_i* 1371e5cc4fb46730_r, > rekeying in 5 minutes > mainconn1[8]: IKE proposal: > AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096 > mainconn1{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: c6dd7c96_i c3b29204_o > mainconn1{1}: AES_CBC_256/HMAC_SHA1_96, 61233208 bytes_i (0 pkts, 522s > ago), 65250496 bytes_o (0 pkts, 522s ago), rekeying disabled > mainconn1{1}: 192.168.9.0/24 === 192.168.10.0/24 > root@OpenWrt:/etc# > =========================================== > > If you refer to the configs used on central-gw and branch-gw3, you will > see that i have set smaller lifetimes on the branch-gw and a larger > lifetime on central-gw. This was to ensure that the rekeying is initiated > from only one end always > > Also the dpdaction=clear setting is used only on cental-gw, whereas the > brach-gws have the setting of "dpdaction=restart" > > I have not changed any default settings for rekey (it is yes by default), > but then again we see this "rekeying disabled" message. Why is this shown? > Whats the significance or meaning of this output? Is my config wrong > somewhere? > > thanks & regards > rajiv > > PS: my suggestion is to please "Textpad" to open/read the attached txt > file. > >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
