From: Martin Willi Date: Tue, 3 Feb 2015 10:53:09 +0000 (+0100) Subject: vici: If a IKE reauth_time is configured, disable the default rekey_time X-Git-Tag: 5.3.0dr1~49 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f6511e36b51973506d9a67d0a84477cb3002cc20;p=thirdparty%2Fstrongswan.git vici: If a IKE reauth_time is configured, disable the default rekey_time --- diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c index 43b3f07123..3ecb10f85f 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c @@ -1751,7 +1751,8 @@ CALLBACK(config_sn, bool, .fragmentation = FRAGMENTATION_NO, .unique = UNIQUE_NO, .keyingtries = 1, - .rekey_time = LFT_DEFAULT_IKE_REKEY, + .rekey_time = LFT_UNDEFINED, + .reauth_time = LFT_UNDEFINED, .over_time = LFT_UNDEFINED, .rand_time = LFT_UNDEFINED, }; @@ -1809,6 +1810,20 @@ CALLBACK(config_sn, bool, peer.local_port = charon->socket->get_port(charon->socket, FALSE); } + if (peer.rekey_time == LFT_UNDEFINED && peer.reauth_time == LFT_UNDEFINED) + { + /* apply a default rekey time if no rekey/reauth time set */ + peer.rekey_time = LFT_DEFAULT_IKE_REKEY; + peer.reauth_time = 0; + } + if (peer.rekey_time == LFT_UNDEFINED) + { + peer.rekey_time = 0; + } + if (peer.reauth_time == LFT_UNDEFINED) + { + peer.reauth_time = 0; + } if (peer.over_time == LFT_UNDEFINED) { /* default over_time to 10% of rekey/reauth time if not given */ diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt index 01ff48e76d..454d4a51a8 100644 --- a/src/swanctl/swanctl.opt +++ b/src/swanctl/swanctl.opt @@ -220,7 +220,9 @@ connections..rekey_time = 4h IKEv1 performs a reauthentication procedure instead. With the default value IKE rekeying is scheduled every 4 hours, minus the - configured **rand_time**. + configured **rand_time**. If a **reauth_time** is configured, **rekey_time** + defaults to zero disabling rekeying; explicitly set both to enforce + rekeying and reauthentication. connections..over_time = 10% of rekey_time/reauth_time Hard IKE_SA lifetime if rekey/reauth does not complete, as time.