[Openswan Users] Rekey Problem between openswan and strongswan
Paul Wouters
paul at xelerance.com
Tue Oct 26 10:16:32 EDT 2010
On Tue, 26 Oct 2010, Yatong Cui wrote:
> OPENSWAN side: configure enough long CHILD_SA lifetime (for example 300s) regardless of SA life type not to be expired before STRONGSWAN.
> STRONGSWAN side: configure CHILD_SA lifetime to be expired within short period (for example 30s) regardless of SA life type.
> Then STRONGSWAN initiates the connection and send continuous echo packets for more than 1 min.
> The connection can be successful for 20s(lifetime minus margintime). And after that,because the rekey is not successful.
> The connection broke down and the echo test wasn't successful.
> 1 This test is successful when setting the OPENSWAN CHILD_SA lifetime to a shorter value and STRONGSWAN CHILD_SA lifetime to a larger value.
> 2 The rekey between 2 strongswan hosts are successful (setting one side to 30s and the other side to 300s)
Do you have logs?
Usually when initiating from one end works, but rekeys from the other end do not, is that there is a small
difference in configuration, where openswan as responder is more accepting of "errors" then the other end
is.
For example, openswan accepts pfs=yes even when configured with pfs=no, but if configured with pfs=no, it
will initiate with that, which might not be what the other end intended.
Paul
More information about the Users
mailing list