3 files changed, 32 insertions, 15 deletions

diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md
index f7dbb8284..cf5a85a8d 100644
--- a/src/libcharon/plugins/vici/README.md
+++ b/src/libcharon/plugins/vici/README.md
@@ -734,6 +734,8 @@ _list-conns_ command.
 				<list of valid remote IKE endpoint addresses>
 			]
 			version = <IKE version as string, IKEv1|IKEv2 or 0 for any>
+			reauth_time = <IKE_SA reauthentication interval in seconds>
+			rekey_time = <IKE_SA rekeying interval in seconds>
 
 			local*, remote* = { # multiple local and remote auth sections
 				class = <authentication type>
@@ -758,6 +760,9 @@ _list-conns_ command.
 			children = {
 				<CHILD_SA config name>* = {
 					mode = <IPsec mode>
+					rekey_time = <CHILD_SA rekeying interval in seconds>
+					rekey_bytes = <CHILD_SA rekeying interval in bytes>
+					rekey_packets = <CHILD_SA rekeying interval in packets>
 					local-ts = [
 						<list of local traffic selectors>
 					]
diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
index a1ab56df9..d919e1d94 100644
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
@@ -62,12 +62,22 @@
 /**
  * Default IKE rekey time
  */
-#define LFT_DEFAULT_IKE_REKEY (4 * 60 * 60)
+#define LFT_DEFAULT_IKE_REKEY_TIME		(4 * 60 * 60)
 
 /**
  * Default CHILD rekey time
  */
-#define LFT_DEFAULT_CHILD_REKEY (1 * 60 * 60)
+#define LFT_DEFAULT_CHILD_REKEY_TIME	(1 * 60 * 60)
+
+/**
+ * Default CHILD rekey bytes
+ */
+#define LFT_DEFAULT_CHILD_REKEY_BYTES		0
+
+/**
+ * Default CHILD rekey packets
+ */
+#define LFT_DEFAULT_CHILD_REKEY_PACKETS		0
 
 /**
  * Undefined replay window
@@ -1443,15 +1453,6 @@ static void check_lifetimes(lifetime_cfg_t *lft)
 	{
 		lft->packets.life = lft->packets.rekey * 110 / 100;
 	}
-	/* if no soft lifetime specified, add one at hard lifetime - 10% */
-	if (lft->bytes.rekey == LFT_UNDEFINED)
-	{
-		lft->bytes.rekey = lft->bytes.life * 90 / 100;
-	}
-	if (lft->packets.rekey == LFT_UNDEFINED)
-	{
-		lft->packets.rekey = lft->packets.life * 90 / 100;
-	}
 	/* if no rand time defined, use difference of hard and soft */
 	if (lft->time.jitter == LFT_UNDEFINED)
 	{
@@ -1485,17 +1486,17 @@ CALLBACK(children_sn, bool,
 			.mode = MODE_TUNNEL,
 			.lifetime = {
 				.time = {
-					.rekey = LFT_DEFAULT_CHILD_REKEY,
+					.rekey = LFT_DEFAULT_CHILD_REKEY_TIME,
 					.life = LFT_UNDEFINED,
 					.jitter = LFT_UNDEFINED,
 				},
 				.bytes = {
-					.rekey = LFT_UNDEFINED,
+					.rekey = LFT_DEFAULT_CHILD_REKEY_BYTES,
 					.life = LFT_UNDEFINED,
 					.jitter = LFT_UNDEFINED,
 				},
 				.packets = {
-					.rekey = LFT_UNDEFINED,
+					.rekey = LFT_DEFAULT_CHILD_REKEY_PACKETS,
 					.life = LFT_UNDEFINED,
 					.jitter = LFT_UNDEFINED,
 				},
@@ -2044,7 +2045,7 @@ CALLBACK(config_sn, bool,
 	if (peer.rekey_time == LFT_UNDEFINED && peer.reauth_time == LFT_UNDEFINED)
 	{
 		/* apply a default rekey time if no rekey/reauth time set */
-		peer.rekey_time = LFT_DEFAULT_IKE_REKEY;
+		peer.rekey_time = LFT_DEFAULT_IKE_REKEY_TIME;
 		peer.reauth_time = 0;
 	}
 	if (peer.rekey_time == LFT_UNDEFINED)
diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
index 4bad88984..04cea004e 100644
--- a/src/libcharon/plugins/vici/vici_query.c
+++ b/src/libcharon/plugins/vici/vici_query.c
@@ -686,6 +686,7 @@ CALLBACK(list_conns, vici_message_t*,
 	uint32_t manual_prio;
 	linked_list_t *list;
 	traffic_selector_t *ts;
+	lifetime_cfg_t *lft;
 	vici_builder_t *b;
 
 	ike = request->get_str(request, NULL, "ike");
@@ -726,6 +727,10 @@ CALLBACK(list_conns, vici_message_t*,
 
 		b->add_kv(b, "version", "%N", ike_version_names,
 			peer_cfg->get_ike_version(peer_cfg));
+		b->add_kv(b, "reauth_time", "%u",
+			peer_cfg->get_reauth_time(peer_cfg, FALSE));
+		b->add_kv(b, "rekey_time", "%u",
+			peer_cfg->get_rekey_time(peer_cfg, FALSE));
 
 		build_auth_cfgs(peer_cfg, TRUE, b);
 		build_auth_cfgs(peer_cfg, FALSE, b);
@@ -740,6 +745,12 @@ CALLBACK(list_conns, vici_message_t*,
 			b->add_kv(b, "mode", "%N", ipsec_mode_names,
 				child_cfg->get_mode(child_cfg));
 
+			lft = child_cfg->get_lifetime(child_cfg, FALSE);
+			b->add_kv(b, "rekey_time",    "%"PRIu64, lft->time.rekey);
+			b->add_kv(b, "rekey_bytes",   "%"PRIu64, lft->bytes.rekey);
+			b->add_kv(b, "rekey_packets", "%"PRIu64, lft->packets.rekey);
+			free(lft);
+
 			b->begin_list(b, "local-ts");
 			list = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL);
 			selectors = list->create_enumerator(list);