[Swan] lifetime kilobytes
Kontakt
kontakt at smieci.de
Thu Oct 14 17:30:59 UTC 2021
thanks Paul, Len
I still have a question, there is such a config:
conn xxx
authby = secret
auto = ignore
ikelifetime = 86400s
salifetime = 3600s
left = our public IP (ex. 8.8.8.8)
leftsubnet = our public IP (ex. 8.8.8.8)
right = client public IP (ex. 15.15.15.15)
rightsubnet = client another public ip (ex. 15.15.15.30)
ike = aes256-sha1; dh5
phase2alg = aes256-sha1; dh5
pfs = yes
ikev2 = never
restarting the ipsec service causes five false setups (ipsec established)
of the tunnel, after which the service stops working - no pid.
the client does not want to use private addressing, only public.
czw., 14 paź 2021 o 19:25 Lennart Sorensen <lsorense at csclub.uwaterloo.ca>
napisał(a):
> On Thu, Oct 14, 2021 at 01:22:51PM -0400, Paul Wouters wrote:
> > On Thu, 14 Oct 2021, Kontakt wrote:
> >
> > > I want to set up the ikev1 tunnel, where the other party expects from
> me the parameter
> > > "crypto map set security-association lifetime kilobytes 4608000" - I
> do not see this parameter in the configuration. the changelog doesn't
> mention this
> > > either. Can I ask for help in its configuration? on the other side I
> believe is cisco / ace
> >
> > This functionality is not available but should make it in the next
> > release.
> >
> > Note however, that lifetimes are not negotiated. Either side configured
> > it, and whenever a side deems the maximum is reached, it is up to them
> > to initiate a rekey or reauthentication. So this option is at least not
> > preventing you from establishing an IPsec connection.
> >
> > Note also that 4.6MB is a very small amount of traffic if this lifetime
> > is associated with ESP. For IKE it might be okay, but a little strange
> > to specify.
>
> 4608000 kilobytes is 4.6GB so not terribly small.
>
> --
> Len Sorensen
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20211014/9332d5c7/attachment-0001.html>
More information about the Swan
mailing list