[Openswan Users] ikelifetime < salifetime ?

Mark Himsley mark at mdsh.com
Mon Aug 15 10:25:16 EDT 2011 

Hi Paul, thanks for replying again.

On 15/08/11 14:49, Paul Wouters wrote:
> On Sun, 14 Aug 2011, Mark Himsley wrote:
>
>> Is it correct to say that ikelifetime should be less than salifetime?
>
> There is disagreement on that. The two are pretty independant, so you
> can pick either. I believe the RFC has IKE SA 8h and IPsec SA 1h. Openswan
> has it the other way around.

You say "you can pick either". What if I've picked both?

For some time I had this conn - the rest of Openswan's config is the 
defaults for Ubuntu 10.04 - I can list it all if you need... Left is 
Ubuntu 10.04 kernel 2.6.32-33-generic-pae and right is Windows XP.

conn mrm_main
         ## GENERAL CONFIG
         type=transport
         # local end
         left=%defaultroute
         leftprotoport=tcp
         # remote end
         right=10.94.220.130
         rightprotoport=tcp/2001
         ## AUTOMATIC KEYING CONFIG
         auto=start
         authby=secret
         salifetime=10m
         rekeymargin=2m
         rekeyfuzz=10%
         ikelifetime=480m

Then, regularly (like every 8 hours or so), I would get an "IPsec SA 
expired (LATEST!)" message logged and therefore the conn would be 
"prospective erouted"

I'm testing today with:

         salifetime=10m
         rekeymargin=1m
         rekeyfuzz=10%
         ikelifetime=5m

>> I think I caused myself a problem when I reduced salifetime to less than
>> ikelifetime on a virtually idle link.
>
> That should not matter.
>
>> When I made salifetime less than ikelifetime I was getting "IPsec SA
>> expired (LATEST!)" and the link was going into "prospective erouted",
>> which I think I've fixed by making ikelifetime < salifetime.
>
> Hmm, it should still rekey the phase2...

It does, but sometimes many hours later. With the settings above I had 
the conn be "prospective erouted" for upto 8 hours before it became 
"erouted" again.

>> I think I needed to set short lifetimes because it appears that the
>> VMWare server I'm running Openswan on forgets connections when they were
>> idle.
>
> That just might require NAT-T keepalives, even if there is no NAT. You
> can try adding forceencapes=yes

Thanks. I'll try that.

-- 
Mark

More information about the Users mailing list