[Openswan Users] Keylife and ikelifetime
openswan at thefeds.net
openswan at thefeds.net
Tue Dec 23 09:04:26 EST 2008
Could you tell me if the following is expected behaviour or a bug?
Whether I set keylife and ikelifetime or leave them to the default values
I am seeing that for both phase 1 and phase 2 SAs the initiator will set
EVENT_SA_REPLACE with the correct value, however the responder appears to
choose a random value.
I am using Openswan 2.6.19 on CentOS 5.0 at both ends. I have tried
setting plutodebug=all on both sides and I can see that the responder is
recieving the timeout values (for a phase 2 SA) but then it uses another
value to set EVENT_SA_REPLACE.
My expectation is that both sides should use either their configured life
times or those they recieve from the initiating peer (possibly minus a
rekeying margin). Is this expectation incorrect?
Thanks
Tim
More information about the Users
mailing list