[Swan-commit] Changes to ref refs/heads/main
Paul Wouters
paul at vault.libreswan.fi
Fri Jan 22 16:40:37 UTC 2021
New commits:
commit d932f2e27d9418ac1047aeeff651b5c50918fc9a
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Jan 22 11:39:52 2021 -0500
testing: fixup output for new 8h ikelifetime default
commit 612547e5b0aeea7b685f33ef80da342b8fd6870d
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Jan 22 11:24:31 2021 -0500
documentation: updated CHANGES
commit 6b7b51d6cefb77d71a4fd639c9ef6aa2e3145dc6
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Jan 22 11:17:40 2021 -0500
pluto: change default IKE SA lifetime from 1h to 8h.
With IKEv1, the IKE SA could expire while retaining the IPsec SA.
Which meant an IKE SA of 1h would not affect an IPsec SA of 8h.
With IKEv2, if the IKE SA expires, it takes down all IPsec SA's
as well.
As a result, the same default for ikelifetime= causes very different
behaviour between IKEv1 and IKEv2 when rekey=no is set.
While it is possible with libreswan 4.x to set rekey=yes on the server
side, to ensure the connection stays up, often clients (eg Windows)
do not like it when the server initiates a rekey to them.
This was reported at various places. Some examples:
Resolves: https://github.com/libreswan/libreswan/issues/405
Resolves: https://github.com/hwdsl2/setup-ipsec-vpn/issues/913
Resolves: https://github.com/libreswan/libreswan/issues/362
More information about the Swan-commit
mailing list