diff options
| author | Tobias Brunner <tobias@strongswan.org> | 2017-03-21 16:03:54 +0100 |
|---|---|---|
| committer | Tobias Brunner <tobias@strongswan.org> | 2017-05-23 18:46:49 +0200 |
| commit | 44107cb7b75551e02afd56061534495c10b94de3 (patch) | |
| tree | 4e3bfad83d2ca7059dea2d84fbf481f519262a2e /conf | |
| parent | ba0796fe75b1a8b6e23ff8543058baa909beae8f (diff) | |
| download | strongswan-44107cb7b75551e02afd56061534495c10b94de3.tar.bz2 strongswan-44107cb7b75551e02afd56061534495c10b94de3.tar.xz | |
child-delete: Delay the removal of the inbound SA of rekeyed CHILD_SAs
After deleting a rekeyed CHILD_SA we uninstall the outbound SA but don't
destroy the CHILD_SA (and the inbound SA) immediately. We delay it
a few seconds or until the SA expires to allow delayed packets to get
processed. The CHILD_SA remains in state CHILD_DELETING until it finally
gets destroyed.
Diffstat (limited to 'conf')
| -rw-r--r-- | conf/options/charon.opt | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/conf/options/charon.opt b/conf/options/charon.opt index a5f03f272..3593c6a5f 100644 --- a/conf/options/charon.opt +++ b/conf/options/charon.opt @@ -75,6 +75,16 @@ charon.delete_rekeyed = no However, this might cause problems with implementations that continue to use rekeyed SAs until they expire. +charon.delete_rekeyed_delay = 5 + Delay in seconds until inbound IPsec SAs are deleted after rekeyings (IKEv2 + only). + + Delay in seconds until inbound IPsec SAs are deleted after rekeyings (IKEv2 + only). To process delayed packets the inbound part of a CHILD_SA is kept + installed up to the configured number of seconds after it got replaced + during a rekeying. If set to 0 the CHILD_SA will be kept installed until it + expires (if no lifetime is set it will be destroyed immediately). + charon.dh_exponent_ansi_x9_42 = yes Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic strength. |