[Openswan Users] Expiring SA based on traffic volume, and manual expiration of SA

Jennifer Agarwal jsagarwal at exqss.com
Thu Dec 18 12:34:07 EST 2008


All, 

My client is interested in expiring the SA based on elapsed time, traffic volume, and having the ability to manually expire an SA.

I have found the ipsec.conf file contains the parameters "keylife" for IPsec SA  and "ikelifetime" for ISAKMP SA.  Both of these parameters allow the user to set the time before new SAs are negotiated.  

Does anyone know how I would allow the expiration of the SA manually or based on traffic volume?  

Thank you,

*********************************
Jennifer Agarwal
President / Principal Engineer

Exquisite Software Solutions, LLC
(240) 483-8619
jsagarwal at exqss.com
 
*********************************



> Date: Thu, 11 Dec 2008 14:40:30 -0500
> From: paul at xelerance.com
> To: jsagarwal at exqss.com
> CC: users at openswan.org
> Subject: Re: [Openswan Users] "ike" parameter in ipsec.conf file
> 
> On Thu, 11 Dec 2008, Jennifer Agarwal wrote:
> 
> > I am having trouble understanding the "ike" parameter in the ipsec.conf file.  According to the man page
> > 
> > ike=cipher-hash-modgroup  but what are all the possible choices. 
> 
> Mostly 3des,aes for cipher, sha1,md5,sha256 for hash, and modgroup's modp1024, modp1536,modp2048 etc.
> 
> > 000 "ipsec0":   IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=strict
> > 000 "ipsec0":   IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
> > 000 "ipsec0":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
> 
> Btw. I would not call your connection "ipsec0", that is very confusing as that is an interface name, not
> a connection name.
> 
> > So it looks like the tunnel has been negotiated with SA#45.  Should I be concerned with the "wanted" "found" and newest not all matching?
> 
> the 000 just means any acceptable keysize (192, 256)
> 
> > If anyone could provide me with further examples of what is allowed for the parameter "ike" I would appreciate it. 
> 
> There are many examples in the testsuite in testing/pluto/*ike*
> 
> Paul

_________________________________________________________________
Express yourself with gadgets on Windows Live Spaces
http://discoverspaces.live.com?source=hmtag1&loc=us
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20081218/103940eb/attachment.html 


More information about the Users mailing list