[Openswan Users] Keylife and ikelifetime
openswan at thefeds.net
openswan at thefeds.net
Tue Dec 23 14:29:31 EST 2008
Both ends have the same lifetimes defined. I noticed after I sent my last
mail that the default rekeyfuzz was 100%. This explains why the end that
recieved a proposal would sometimes set EVENT_SA_REKEY to be around 2500
seconds when the default lifetime is around 8000 seconds. I have now
explicitly set rekeyfuzz to 0% on one of my connections and it is keeping
SAs in step much better.
I don't think the last version of openswan that I used had rekeyfuzz at
all, thus I wasn't expecting it to have such a large default.
Thanks
Tim
On Tue, 23 Dec 2008, Paul Wouters wrote:
> On Tue, 23 Dec 2008, openswan at thefeds.net wrote:
>
>> I will try specifying the fuzz. Currently I am seeing some SAs lasting for
>> only 30% of the locally configured life (local life = remote life).
>
> Which end is initiating the rekey? If the other end has a shorter life, it could
> potentially initiate the rekey, regardless of the local settings.
>
> Paul
>
More information about the Users
mailing list