vici: If a IKE reauth_time is configured, disable the default rekey_time
[strongswan.git] / src / swanctl / swanctl.opt
index 01ff48e..454d4a5 100644 (file)
@@ -220,7 +220,9 @@ connections.<conn>.rekey_time = 4h
        IKEv1 performs a reauthentication procedure instead.
 
        With the default value IKE rekeying is scheduled every 4 hours, minus the
-       configured **rand_time**.
+       configured **rand_time**. If a **reauth_time** is configured, **rekey_time**
+       defaults to zero disabling rekeying; explicitly set both to enforce
+       rekeying and reauthentication.
 
 connections.<conn>.over_time = 10% of rekey_time/reauth_time
        Hard IKE_SA lifetime if rekey/reauth does not complete, as time.