×

strongswan ipsec vpn掉线重连rekey

hqy hqy 发表于2019-04-12 14:37:32 浏览3390 评论0

抢沙发发表评论

reauth = yes | no

whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1, reauthentication is always done.
In IKEv2, a value of no rekeys without uninstalling the IPsec SAs, a value of yes (the default)
creates a new IKE_SA from scratch and tries to recreate all IPsec SAs.

rekey = yes | no

whether a connection should be renegotiated when it is about to expire. The two ends need not agree, but
while a value of no prevents the daemon from requesting renegotiation, it does not prevent responding
to renegotiation requested from the other end, so no will be largely ineffective unless both ends agree on it.
Also see reauth.

rekeyfuzz = 100% | <percentage>

maximum percentage by which marginbytesmarginpackets and margintime should be randomly increased to randomize
rekeying intervals (important for hosts with many connections); acceptable values are an integer, which may exceed 100,
followed by a '%' .
The value of marginTYPE, after this random increase, must not exceed lifeTYPE (where TYPE is one of bytes, packets or time).
The value 0% will suppress randomization. Relevant only locally, other end need not agree on it.
Also see Expiry and Rekey.


margintime = 9m | <time>

how long before connection expiry or keying-channel expiry should attempts to negotiate a replacement begin; acceptable values
as for lifetime (default 9m). Relevant only locally, other end need not agree on it. Also see Expiry and Rekey.



config setup

         uniqueids = never


conn %default

 authby=psk

 type=tunnel

 ike=aes-sha1-modp1024!

 ikelifetime=3600s

 reauth=yes

 esp=aes-sha1-modp1024!

 lifetime=3600s

 aggressive=yes


conn net-net

 keyexchange=ikev1

 left=%any

 leftsubnet=192.168.23.0/24

 leftid=@A.com

 leftfirewall=yes

 right=x.x.x.x

 rightsubnet=192.168.168.0/22;

 rightid=@B.com

 auto=start

 type=tunnel

 margintime=1m

 rekeyfuzz=100%

 rekey=yes


conn net-net2

 keyexchange=ikev1

 left=%any

 leftsubnet=192.168.1.0/24

 leftid=@A.com

 leftfirewall=yes

 right=x.x.x.x

 rightsubnet=192.168.168.0/22;

 rightid=@B.com

 auto=start

 type=tunnel

 margintime=1m

 rekeyfuzz=100%

 rekey=yes


打赏

本文链接:https://www.kinber.cn/post/537.html 转载需授权!

分享到:


推荐本站淘宝优惠价购买喜欢的宝贝:

image.png

 您阅读本篇文章共花了: 

群贤毕至

访客