[Openswan Users] NETKEY SA lifetime
Paul Wouters
paul at xelerance.com
Tue Feb 6 10:55:17 EST 2007
On Mon, 5 Feb 2007, Mike Horn wrote:
> It appears that the SA lifetime (hard or soft) is not being set in the
> NETKEY SAD entries. What I'm mostly interested in is the "hard:" field for
> the SA. This is set using the -lh extension if you are adding the entry
> with "setkey add".
>
> 172.4.4.10 172.3.3.5
> esp mode=tunnel spi=3597347870(0xd66b2c1e) reqid=16397(0x0000400d)
> E: aes-cbc d31566a1 79a333a7 a25d3726 39cf9b7a 01f70645 5f87c0ff
> 98d3bbf3 5f054df9
> A: hmac-sha1 614b29bc 58305971 9e2a104f 28f7cd10 6ff8fa12
> seq=0x00000000 replay=32 flags=0x00000000 state=mature
> created: Feb 5 12:04:44 2007 current: Feb 5 12:04:49 2007
> diff: 5(s) hard: 0(s) soft: 0(s)
> ^ ** this is the value that I'm looking for **
>
> last: hard: 0(s) soft: 0(s)
> current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
> allocated: 0 hard: 0 soft: 0
> sadb_seq=0 pid=10405 refcnt=0
>
> Is there any way see the SA lifetime other than looking in the tunnel
> configuration? Thanks!
You can run ipsec auto --status and see:
000 "amsterdam--ssw-net1": 193.110.157.0/24===194.109.7.250---194.109.7.249...205.150.200.129---205.150.200.134===205.150.200.160/28; erouted;
eroute owner: #7945
000 "amsterdam--ssw-net1": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "amsterdam--ssw-net1": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "amsterdam--ssw-net1": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 24,28; interface: eth0; encap: esp;
000 "amsterdam--ssw-net1": newest ISAKMP SA: #7967; newest IPsec SA: #7945;
000 "amsterdam--ssw-net1": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000 "amsterdam--ssw-net2": 193.111.228.0/24===194.109.7.250---194.109.7.249...205.150.200.129---205.150.200.134===205.150.200.160/28; erouted;
eroute owner: #7930
Here you can see the ike_life, ipsec_life and the rekey margin/fuzz.
I am not sure why hard/soft is not set with those values. Perhaps it is
something else? Perhaps Herbert or Michael can shed some more light on this.
Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list