swanctl: Document soft lifetime defaults if hard lifetimes are config…

…ured
strongswan · Oct 30, 2024 · 9706eff · 9706eff
1 parent 4786ab7
commit 9706eff
Showing 1 changed file with 12 additions and 8 deletions.
diff --git a/docs/modules/ROOT/partials/config/swanctl-rekey-child.adoc b/docs/modules/ROOT/partials/config/swanctl-rekey-child.adoc
@@ -1,9 +1,11 @@
-|<child>.rekey_time        |`1h`
+|<child>.rekey_time        |[->]
 |Time to schedule CHILD_SA rekeying. CHILD_SA rekeying refreshes key material,
  optionally using a Diffie-Hellman exchange if a group is specified in the proposal.
  To avoid rekey collisions initiated by both ends simultaneously, a value in the
- range of `*rand_time*` gets subtracted to form the effective soft lifetime. By
- default CHILD_SA rekeying is scheduled every hour, minus `*rand_time*`
+ range of `*rand_time*` gets subtracted to form the effective soft lifetime.
+ If `*life_time*` is explicitly configured, it defaults to 10% less than that,
+ otherwise CHILD_SA rekeying is scheduled every hour, minus `*rand_time*`.
+ [`1h` or `life_time / 1.1`]
 
 |<child>.life_time         |[->]
 |Maximum lifetime before CHILD_SA gets closed. Usually this hard lifetime is never
@@ -16,13 +18,14 @@
  The default is the difference between `*life_time*` and `*rekey_time*`.
  [`life_time - rekey_time`]
 
-|<child>.rekey_bytes       |`0`
+|<child>.rekey_bytes       |[->]
 |Number of bytes processed before initiating CHILD_SA rekeying. CHILD_SA rekeying
  refreshes key material, optionally using a Diffie-Hellman exchange if a group is
  specified in the proposal. To avoid rekey collisions initiated by both ends
  simultaneously, a value in the range of `*rand_bytes*` gets subtracted to form
  the effective soft volume limit. Volume based CHILD_SA rekeying is disabled by
- default
+ default. If `*life_bytes*` is explicitly configured, it defaults to 10% less
+ than that. [`0` or `life_bytes / 1.1`]
 
 |<child>.life_bytes        |
 |Maximum bytes processed before CHILD_SA gets closed. Usually this hard volume
@@ -35,19 +38,20 @@
  The default is the difference between `*life_bytes*` and `*rekey_bytes*`.
  [`life_bytes - rekey_bytes`]
 
-|<child>.rekey_packets     |`0`
+|<child>.rekey_packets     |[->]
 |Number of packets processed before initiating CHILD_SA rekeying. CHILD_SA rekeying
  refreshes key material, optionally using a Diffie-Hellman exchange if a group is
  specified in the proposal. To avoid rekey collisions initiated by both ends
  simultaneously, a value in the range of `*rand_packets*` gets subtracted to form
  the effective soft packet count limit. Packet count based CHILD_SA rekeying is
- disabled by default
+ disabled by default. If `*life_packets*` is explicitly configured, it defaults
+ to 10% less than that. [`0` or `life_packets / 1.1`]
 
 |<child>.life_packets      |[->]
 |Maximum number of packets processed before CHILD_SA gets closed. Usually this
  hard packets limit is never reached, because the CHILD_SA gets rekeyed before.
  If that fails for whatever reason, this limit closes the CHILD_SA. The default
- is 10% more than `*rekey_bytes*`. [`1.1 * rekey_packets`]
+ is 10% more than `*rekey_packets*`. [`1.1 * rekey_packets`]
 
 |<child>.rand_packets      |[->]
 |Packet range from which to choose a random value to subtract from `*rekey_packets*`.