[Openswan Users] NETKEY SA lifetime

Paul Wouters paul at xelerance.com
Tue Feb 6 10:55:17 EST 2007 

On Mon, 5 Feb 2007, Mike Horn wrote:

> It appears that the SA lifetime (hard or soft) is not being set in the
> NETKEY SAD entries.  What I'm mostly interested in is the "hard:" field for
> the SA.  This is set using the -lh extension if you are adding the entry
> with "setkey add".
>
> 172.4.4.10 172.3.3.5
>         esp mode=tunnel spi=3597347870(0xd66b2c1e) reqid=16397(0x0000400d)
>         E: aes-cbc  d31566a1 79a333a7 a25d3726 39cf9b7a 01f70645 5f87c0ff
> 98d3bbf3 5f054df9
>         A: hmac-sha1  614b29bc 58305971 9e2a104f 28f7cd10 6ff8fa12
>         seq=0x00000000 replay=32 flags=0x00000000 state=mature
>         created: Feb  5 12:04:44 2007   current: Feb  5 12:04:49 2007
>         diff: 5(s)      hard: 0(s)      soft: 0(s)
>                          ^ ** this is the value that I'm looking for **
>
>         last:                           hard: 0(s)      soft: 0(s)
>         current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
>         allocated: 0    hard: 0 soft: 0
>         sadb_seq=0 pid=10405 refcnt=0
>
> Is there any way see the SA lifetime other than looking in the tunnel
> configuration?  Thanks!

You can run ipsec auto --status and see:

000 "amsterdam--ssw-net1": 193.110.157.0/24===194.109.7.250---194.109.7.249...205.150.200.129---205.150.200.134===205.150.200.160/28; erouted;
 eroute owner: #7945
000 "amsterdam--ssw-net1":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "amsterdam--ssw-net1":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "amsterdam--ssw-net1":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 24,28; interface: eth0; encap: esp;
000 "amsterdam--ssw-net1":   newest ISAKMP SA: #7967; newest IPsec SA: #7945;
000 "amsterdam--ssw-net1":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000 "amsterdam--ssw-net2": 193.111.228.0/24===194.109.7.250---194.109.7.249...205.150.200.129---205.150.200.134===205.150.200.160/28; erouted;
 eroute owner: #7930

Here you can see the ike_life, ipsec_life and the rekey margin/fuzz.
I am not sure why hard/soft is not set with those values. Perhaps it is
something else? Perhaps Herbert or Michael can shed some more light on this.

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list