Project

General

Profile

Issue #3542

Use ikev2 establish tunnel when rekeymargin greater than one-half ikelifetime will rekey frequently.

Added by ray chao 2 months ago. Updated 2 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
configuration
Affected version:
5.9.0
Resolution:

Description

When i use the rekeymargin < 29m the connection will rekey normal.

config setup
conn test
...
 rekeymargin=29m
 rekeyfuzz=1%
 keyexchange=ikev2
 ikelifetime=1h
 keylife=480m
...

But when i use rekeymargin > 31m the connection will rekey frequently abnormal.

config setup
conn test
...
 rekeymargin=31m
 rekeyfuzz=1%
 keyexchange=ikev2
 ikelifetime=1h
 keylife=480m
...

the attach file is ipsec status log.
It did not mention this restriction when I read https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey.
Is this a restriction?

29m.txt (117 KB) 29m.txt ray chao, 17.08.2020 13:10
31m.txt (375 KB) 31m.txt ray chao, 17.08.2020 13:10

History

#1 Updated by Tobias Brunner 2 months ago

  • Category set to configuration
  • Status changed from New to Feedback
  • Priority changed from High to Normal

It did not mention this restriction when I read https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey.

The behavior when receiving an AUTH_LIFETIME notify is mentioned there (subtracting the margin, which the server might already have done when it calculated the value for the notify).

#2 Updated by ray chao 2 months ago

From my understanding, if configure

 rekeymargin=31m
 rekeyfuzz=1%
 keyexchange=ikev2
 ikelifetime=1h
 keylife=480m

rekeytime=60-[31+random(0~31*0.01)]

The schedules to reauthentication is rekeytime-31m(margin) < 0
So it will frequently send AUTH_LIFETIME notify, it's not a suggested config.

#3 Updated by Tobias Brunner 2 months ago

So it will frequently send AUTH_LIFETIME notify, it's not a suggested config.

The problem is not sending the notify, but that the client again subtracts the margin (i.e. if you have the same config on both ends it gets subtracted twice, which is why this causes a problem with a lifetime of 1 hour and a margin of 31 minutes). I never really liked that because remote and local config values are mixed together, but the received time is a hard limit so we have to subtract something so the reauthentication is started before that, and with common configs (i.e. lifetimes of several hours) it usually doesn't matter much.

Also available in: Atom PDF