reauth = yes | no
whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1, reauthentication is always done.
In IKEv2, a value of no rekeys without uninstalling the IPsec SAs, a value of yes (the default)
creates a new IKE_SA from scratch and tries to recreate all IPsec SAs.
rekey = yes | no
whether a connection should be renegotiated when it is about to expire. The two ends need not agree, but
while a value of no prevents the daemon from requesting renegotiation, it does not prevent responding
to renegotiation requested from the other end, so no will be largely ineffective unless both ends agree on it.
Also see reauth.
rekeyfuzz = 100% | <percentage>
maximum percentage by which marginbytes, marginpackets and margintime should be randomly increased to randomize
rekeying intervals (important for hosts with many connections); acceptable values are an integer, which may exceed 100,
followed by a '%' .
The value of marginTYPE, after this random increase, must not exceed lifeTYPE (where TYPE is one of bytes, packets or time).
The value 0% will suppress randomization. Relevant only locally, other end need not agree on it.
Also see Expiry and Rekey.
margintime = 9m | <time>
how long before connection expiry or keying-channel expiry should attempts to negotiate a replacement begin; acceptable values
as for lifetime (default 9m). Relevant only locally, other end need not agree on it. Also see Expiry and Rekey.
config setup
uniqueids = never
conn %default
authby=psk
type=tunnel
ike=aes-sha1-modp1024!
ikelifetime=3600s
reauth=yes
esp=aes-sha1-modp1024!
lifetime=3600s
aggressive=yes
conn net-net
keyexchange=ikev1
left=%any
leftsubnet=192.168.23.0/24
leftid=@A.com
leftfirewall=yes
right=x.x.x.x
rightsubnet=192.168.168.0/22;
rightid=@B.com
auto=start
type=tunnel
margintime=1m
rekeyfuzz=100%
rekey=yes
conn net-net2
keyexchange=ikev1
left=%any
leftsubnet=192.168.1.0/24
leftid=@A.com
leftfirewall=yes
right=x.x.x.x
rightsubnet=192.168.168.0/22;
rightid=@B.com
auto=start
type=tunnel
margintime=1m
rekeyfuzz=100%
rekey=yes
本文链接:https://www.kinber.cn/post/537.html 转载需授权!
推荐本站淘宝优惠价购买喜欢的宝贝: