[Swan] lifetime kilobytes

Kontakt kontakt at smieci.de
Thu Oct 14 17:30:59 UTC 2021 

thanks Paul, Len

I still have a question, there is such a config:

conn xxx
         authby = secret
         auto = ignore

         ikelifetime = 86400s
         salifetime = 3600s

         left = our public IP (ex. 8.8.8.8)
         leftsubnet = our public IP (ex. 8.8.8.8)
         right = client public IP (ex. 15.15.15.15)
         rightsubnet = client another public ip (ex. 15.15.15.30)

         ike = aes256-sha1; dh5
         phase2alg = aes256-sha1; dh5
         pfs = yes
         ikev2 = never


restarting the ipsec service causes five false setups (ipsec established)
of the tunnel, after which the service stops working - no pid.
the client does not want to use private addressing, only public.

czw., 14 paź 2021 o 19:25 Lennart Sorensen <lsorense at csclub.uwaterloo.ca>
napisał(a):

> On Thu, Oct 14, 2021 at 01:22:51PM -0400, Paul Wouters wrote:
> > On Thu, 14 Oct 2021, Kontakt wrote:
> >
> > > I want to set up the ikev1 tunnel, where the other party expects from
> me the parameter
> > > "crypto map set security-association lifetime kilobytes 4608000" - I
> do not see this parameter in the configuration. the changelog doesn't
> mention this
> > > either. Can I ask for help in its configuration? on the other side I
> believe is cisco / ace
> >
> > This functionality is not available but should make it in the next
> > release.
> >
> > Note however, that lifetimes are not negotiated. Either side configured
> > it, and whenever a side deems the maximum is reached, it is up to them
> > to initiate a rekey or reauthentication. So this option is at least not
> > preventing you from establishing an IPsec connection.
> >
> > Note also that 4.6MB is a very small amount of traffic if this lifetime
> > is associated with ESP. For IKE it might be okay, but a little strange
> > to specify.
>
> 4608000 kilobytes is 4.6GB so not terribly small.
>
> --
> Len Sorensen
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20211014/9332d5c7/attachment-0001.html>

More information about the Swan mailing list