Hi Andreas, Thanks for the input. Appreciate it.
The behaviour I observe makes sense now. We have the following in ipsec.conf ikelifetime=86400s keylife=3600s So CHILD_SAs get closed after keylife reaches 1 hour mark if there is no traffic sent / received. Thanks, Terry On 12 September 2017 at 16:38, Andreas Steffen <[email protected]<mailto:[email protected]>> wrote: Hi Terry, by default no inactivity timer is set. In the default case the CHILD SA exists until it expires. Regards Andreas On 12.09.2017 08:50, Terry Wang wrote: Hi folks, I've been assigned to review IPsec VPN deployment configurations (hundreds of strongSwan 5.3.2). I want to understand how CHILD_SAs are closed if there is no traffic sent or received. Based on: https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection `inactivity` defines the timeout interval after which a CHILD_SA (phase 2 SA) is closed if it does not send or receive any traffic. I've looked at the source code: * src/libcharon/config/child_cfg.c * src/libcharon/config/child_cfg.h There is no default value assigned to the variable inactivity (uint32_t). So how does charon (strongSwan) decide when to close a CHILD_SA if no traffic is sent/received. Thanks, Terry -- ====================================================================== Andreas Steffen [email protected]<mailto:[email protected]> strongSwan - the Open Source VPN Solution! www.strongswan.org<http://www.strongswan.org> Institute for Networked Solutions University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[INS-HSR]==
