vici: If a IKE reauth_time is configured, disable the default rekey_time
authorMartin Willi <martin@revosec.ch>
Tue, 3 Feb 2015 10:53:09 +0000 (11:53 +0100)
committerMartin Willi <martin@revosec.ch>
Tue, 3 Mar 2015 12:49:14 +0000 (13:49 +0100)
src/libcharon/plugins/vici/vici_config.c
src/swanctl/swanctl.opt

index 43b3f07..3ecb10f 100644 (file)
@@ -1751,7 +1751,8 @@ CALLBACK(config_sn, bool,
                .fragmentation = FRAGMENTATION_NO,
                .unique = UNIQUE_NO,
                .keyingtries = 1,
-               .rekey_time = LFT_DEFAULT_IKE_REKEY,
+               .rekey_time = LFT_UNDEFINED,
+               .reauth_time = LFT_UNDEFINED,
                .over_time = LFT_UNDEFINED,
                .rand_time = LFT_UNDEFINED,
        };
@@ -1809,6 +1810,20 @@ CALLBACK(config_sn, bool,
                peer.local_port = charon->socket->get_port(charon->socket, FALSE);
        }
 
+       if (peer.rekey_time == LFT_UNDEFINED && peer.reauth_time == LFT_UNDEFINED)
+       {
+               /* apply a default rekey time if no rekey/reauth time set */
+               peer.rekey_time = LFT_DEFAULT_IKE_REKEY;
+               peer.reauth_time = 0;
+       }
+       if (peer.rekey_time == LFT_UNDEFINED)
+       {
+               peer.rekey_time = 0;
+       }
+       if (peer.reauth_time == LFT_UNDEFINED)
+       {
+               peer.reauth_time = 0;
+       }
        if (peer.over_time == LFT_UNDEFINED)
        {
                /* default over_time to 10% of rekey/reauth time if not given */
index 01ff48e..454d4a5 100644 (file)
@@ -220,7 +220,9 @@ connections.<conn>.rekey_time = 4h
        IKEv1 performs a reauthentication procedure instead.
 
        With the default value IKE rekeying is scheduled every 4 hours, minus the
-       configured **rand_time**.
+       configured **rand_time**. If a **reauth_time** is configured, **rekey_time**
+       defaults to zero disabling rekeying; explicitly set both to enforce
+       rekeying and reauthentication.
 
 connections.<conn>.over_time = 10% of rekey_time/reauth_time
        Hard IKE_SA lifetime if rekey/reauth does not complete, as time.