12
2019
04
14:37:32

strongswan ipsec vpn掉线重连rekey

reauth = yes | no

whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1, reauthentication is always done.
In IKEv2, a value of no rekeys without uninstalling the IPsec SAs, a value of yes (the default)
creates a new IKE_SA from scratch and tries to recreate all IPsec SAs.

rekey = yes | no

whether a connection should be renegotiated when it is about to expire. The two ends need not agree, but
while a value of no prevents the daemon from requesting renegotiation, it does not prevent responding
to renegotiation requested from the other end, so no will be largely ineffective unless both ends agree on it.
Also see reauth.

rekeyfuzz = 100% | <percentage>

maximum percentage by which marginbytesmarginpackets and margintime should be randomly increased to randomize
rekeying intervals (important for hosts with many connections); acceptable values are an integer, which may exceed 100,
followed by a '%' .
The value of marginTYPE, after this random increase, must not exceed lifeTYPE (where TYPE is one of bytes, packets or time).
The value 0% will suppress randomization. Relevant only locally, other end need not agree on it.
Also see Expiry and Rekey.


margintime = 9m | <time>

how long before connection expiry or keying-channel expiry should attempts to negotiate a replacement begin; acceptable values
as for lifetime (default 9m). Relevant only locally, other end need not agree on it. Also see Expiry and Rekey.



config setup

         uniqueids = never


conn %default

 authby=psk

 type=tunnel

 ike=aes-sha1-modp1024!

 ikelifetime=3600s

 reauth=yes

 esp=aes-sha1-modp1024!

 lifetime=3600s

 aggressive=yes


conn net-net

 keyexchange=ikev1

 left=%any

 leftsubnet=192.168.23.0/24

 leftid=@A.com

 leftfirewall=yes

 right=x.x.x.x

 rightsubnet=192.168.168.0/22;

 rightid=@B.com

 auto=start

 type=tunnel

 margintime=1m

 rekeyfuzz=100%

 rekey=yes


conn net-net2

 keyexchange=ikev1

 left=%any

 leftsubnet=192.168.1.0/24

 leftid=@A.com

 leftfirewall=yes

 right=x.x.x.x

 rightsubnet=192.168.168.0/22;

 rightid=@B.com

 auto=start

 type=tunnel

 margintime=1m

 rekeyfuzz=100%

 rekey=yes




推荐本站淘宝优惠价购买喜欢的宝贝:

image.png

本文链接:https://hqyman.cn/post/537.html 非本站原创文章欢迎转载,原创文章需保留本站地址!

分享到:
打赏





休息一下~~


« 上一篇 下一篇 »

发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

请先 登录 再评论,若不是会员请先 注册

您的IP地址是: