I'm trying to test the performance of my StrongSwan RoadWarrior setup (The standard one found here). As part of this testing, I need to make sure it re-keys properly. I'm not all that familiar with IPSec, but is there a way to manually trigger a rekeying instead of letting it expire in the lifetime? Currently my swanctl.conf has a rekey time set that I could shorten, but I'd like to be able to do it at will with a oneliner.
Asked
Active
Viewed 1,430 times
3
Will Nilges
- 67
- 1
- 9
1 Answers
3
Rekeyings can be triggered manually via swanctl/VICI but also with the legacy ipsec script (that's not documented, though).
For swanctl, the command is --rekey. The IKE or Child SA to rekey can be selected either by name (--ike/--child) or by unique ID (--ike-id/--child-id), which can be determined via --list-sas command. All SAs that match the given selectors are rekeyed and for IKE SAs it's also possible to trigger a reauthentication via --reauth option. VICI provides the same options via rekey() command, which swanctl uses.
With the ipsec script, the undocumented rekey command of the stroke utility may be used, i.e. ipsec stroke rekey <name>. The format of <name> determines what SA is rekeyed, similar to the down command. For instance, use name or name[] to rekey the first IKE SA with that name, or name{} for the first Child SA, putting numbers in [] or {} allows rekeying via unique ID (the name is optional then), with name[*] or name{*} all SAs with the given name are rekeyed.
ecdsa
- 3,973
- 15
- 29
-
Thanks for the help! Turns out it was also on the manpages, whoops :P One problem, though, I used the `swanctl --rekey` command, but I got an error: `rekey failed: missing rekey selector` I can't seem to find any information beyond inserting some arcane field in my `ipsec.conf`. Any advice for that? – Will Nilges Jun 05 '20 at 16:53
-
1You need to specify which SA to rekey, either by name and/or ID, using the parameters I described. – ecdsa Jun 08 '20 at 08:26