path: root/conf
diff options
authorTobias Brunner <tobias@strongswan.org>2017-03-21 16:03:54 +0100
committerTobias Brunner <tobias@strongswan.org>2017-05-23 18:46:49 +0200
commit44107cb7b75551e02afd56061534495c10b94de3 (patch)
tree4e3bfad83d2ca7059dea2d84fbf481f519262a2e /conf
parentba0796fe75b1a8b6e23ff8543058baa909beae8f (diff)
child-delete: Delay the removal of the inbound SA of rekeyed CHILD_SAs
After deleting a rekeyed CHILD_SA we uninstall the outbound SA but don't destroy the CHILD_SA (and the inbound SA) immediately. We delay it a few seconds or until the SA expires to allow delayed packets to get processed. The CHILD_SA remains in state CHILD_DELETING until it finally gets destroyed.
Diffstat (limited to 'conf')
1 files changed, 10 insertions, 0 deletions
diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index a5f03f272..3593c6a5f 100644
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -75,6 +75,16 @@ charon.delete_rekeyed = no
However, this might cause problems with implementations that continue to
use rekeyed SAs until they expire.
+charon.delete_rekeyed_delay = 5
+ Delay in seconds until inbound IPsec SAs are deleted after rekeyings (IKEv2
+ only).
+ Delay in seconds until inbound IPsec SAs are deleted after rekeyings (IKEv2
+ only). To process delayed packets the inbound part of a CHILD_SA is kept
+ installed up to the configured number of seconds after it got replaced
+ during a rekeying. If set to 0 the CHILD_SA will be kept installed until it
+ expires (if no lifetime is set it will be destroyed immediately).
charon.dh_exponent_ansi_x9_42 = yes
Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic