[Openswan Users] ikelifetime < salifetime ?
Mark Himsley
mark at mdsh.com
Mon Aug 15 10:25:16 EDT 2011
Hi Paul, thanks for replying again.
On 15/08/11 14:49, Paul Wouters wrote:
> On Sun, 14 Aug 2011, Mark Himsley wrote:
>
>> Is it correct to say that ikelifetime should be less than salifetime?
>
> There is disagreement on that. The two are pretty independant, so you
> can pick either. I believe the RFC has IKE SA 8h and IPsec SA 1h. Openswan
> has it the other way around.
You say "you can pick either". What if I've picked both?
For some time I had this conn - the rest of Openswan's config is the
defaults for Ubuntu 10.04 - I can list it all if you need... Left is
Ubuntu 10.04 kernel 2.6.32-33-generic-pae and right is Windows XP.
conn mrm_main
## GENERAL CONFIG
type=transport
# local end
left=%defaultroute
leftprotoport=tcp
# remote end
right=10.94.220.130
rightprotoport=tcp/2001
## AUTOMATIC KEYING CONFIG
auto=start
authby=secret
salifetime=10m
rekeymargin=2m
rekeyfuzz=10%
ikelifetime=480m
Then, regularly (like every 8 hours or so), I would get an "IPsec SA
expired (LATEST!)" message logged and therefore the conn would be
"prospective erouted"
I'm testing today with:
salifetime=10m
rekeymargin=1m
rekeyfuzz=10%
ikelifetime=5m
>> I think I caused myself a problem when I reduced salifetime to less than
>> ikelifetime on a virtually idle link.
>
> That should not matter.
>
>> When I made salifetime less than ikelifetime I was getting "IPsec SA
>> expired (LATEST!)" and the link was going into "prospective erouted",
>> which I think I've fixed by making ikelifetime < salifetime.
>
> Hmm, it should still rekey the phase2...
It does, but sometimes many hours later. With the settings above I had
the conn be "prospective erouted" for upto 8 hours before it became
"erouted" again.
>> I think I needed to set short lifetimes because it appears that the
>> VMWare server I'm running Openswan on forgets connections when they were
>> idle.
>
> That just might require NAT-T keepalives, even if there is no NAT. You
> can try adding forceencapes=yes
Thanks. I'll try that.
--
Mark
More information about the Users
mailing list