[Openswan Users] Rekey Problem between openswan and strongswan

Paul Wouters paul at xelerance.com
Tue Oct 26 10:16:32 EDT 2010

On Tue, 26 Oct 2010, Yatong Cui wrote:

> OPENSWAN side: configure enough long CHILD_SA lifetime (for example 300s) regardless of SA life type not to be expired before STRONGSWAN.
> STRONGSWAN side: configure CHILD_SA lifetime to be expired within short period (for example 30s) regardless of SA life type.
> Then STRONGSWAN initiates the connection and send continuous echo packets for more than 1 min.

> The connection can be successful for 20s(lifetime minus margintime). And after that,because the rekey is not successful.
> The connection broke down and the echo test wasn't successful.

> 1 This test is successful when setting the OPENSWAN CHILD_SA lifetime to a shorter value and STRONGSWAN CHILD_SA lifetime to a larger value.
> 2 The rekey between 2 strongswan hosts are successful (setting one side to 30s and the other side to 300s)

Do you have logs?

Usually when initiating from one end works, but rekeys from the other end do not, is that there is a small
difference in configuration, where openswan as responder is more accepting of "errors" then the other end

For example, openswan accepts pfs=yes even when configured with pfs=no, but if configured with pfs=no, it
will initiate with that, which might not be what the other end intended.


More information about the Users mailing list