[Openswan Users] Keylife and ikelifetime
Paul Wouters
paul at xelerance.com
Tue Dec 23 12:59:16 EST 2008
On Tue, 23 Dec 2008, openswan at thefeds.net wrote:
> Both ends have the same lifetimes defined. I noticed after I sent my last mail
> that the default rekeyfuzz was 100%. This explains why the end that recieved a
> proposal would sometimes set EVENT_SA_REKEY to be around 2500 seconds when the
> default lifetime is around 8000 seconds. I have now explicitly set rekeyfuzz
> to 0% on one of my connections and it is keeping SAs in step much better.
100% sounds wrong. I'll look into that.
using fuzz of 0 is dangerous. If a busy server crashes and restarts, all the
connections will rekey all at the same time at uptime == lifetime.
> I don't think the last version of openswan that I used had rekeyfuzz at all,
> thus I wasn't expecting it to have such a large default.
It's been in there forever, but the default might have changed accidentally.
Paul
More information about the Users
mailing list