From 9706eff1be8e88cdfebe31f7cf7e747dd6caa67b Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Wed, 30 Oct 2024 12:13:36 +0100 Subject: [PATCH] swanctl: Document soft lifetime defaults if hard lifetimes are configured --- .../partials/config/swanctl-rekey-child.adoc | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/docs/modules/ROOT/partials/config/swanctl-rekey-child.adoc b/docs/modules/ROOT/partials/config/swanctl-rekey-child.adoc index e5bd30b5..b6fb1aa5 100644 --- a/docs/modules/ROOT/partials/config/swanctl-rekey-child.adoc +++ b/docs/modules/ROOT/partials/config/swanctl-rekey-child.adoc @@ -1,9 +1,11 @@ -|.rekey_time |`1h` +|.rekey_time |[->] |Time to schedule CHILD_SA rekeying. CHILD_SA rekeying refreshes key material, optionally using a Diffie-Hellman exchange if a group is specified in the proposal. To avoid rekey collisions initiated by both ends simultaneously, a value in the - range of `*rand_time*` gets subtracted to form the effective soft lifetime. By - default CHILD_SA rekeying is scheduled every hour, minus `*rand_time*` + range of `*rand_time*` gets subtracted to form the effective soft lifetime. + If `*life_time*` is explicitly configured, it defaults to 10% less than that, + otherwise CHILD_SA rekeying is scheduled every hour, minus `*rand_time*`. + [`1h` or `life_time / 1.1`] |.life_time |[->] |Maximum lifetime before CHILD_SA gets closed. Usually this hard lifetime is never @@ -16,13 +18,14 @@ The default is the difference between `*life_time*` and `*rekey_time*`. [`life_time - rekey_time`] -|.rekey_bytes |`0` +|.rekey_bytes |[->] |Number of bytes processed before initiating CHILD_SA rekeying. CHILD_SA rekeying refreshes key material, optionally using a Diffie-Hellman exchange if a group is specified in the proposal. To avoid rekey collisions initiated by both ends simultaneously, a value in the range of `*rand_bytes*` gets subtracted to form the effective soft volume limit. Volume based CHILD_SA rekeying is disabled by - default + default. If `*life_bytes*` is explicitly configured, it defaults to 10% less + than that. [`0` or `life_bytes / 1.1`] |.life_bytes | |Maximum bytes processed before CHILD_SA gets closed. Usually this hard volume @@ -35,19 +38,20 @@ The default is the difference between `*life_bytes*` and `*rekey_bytes*`. [`life_bytes - rekey_bytes`] -|.rekey_packets |`0` +|.rekey_packets |[->] |Number of packets processed before initiating CHILD_SA rekeying. CHILD_SA rekeying refreshes key material, optionally using a Diffie-Hellman exchange if a group is specified in the proposal. To avoid rekey collisions initiated by both ends simultaneously, a value in the range of `*rand_packets*` gets subtracted to form the effective soft packet count limit. Packet count based CHILD_SA rekeying is - disabled by default + disabled by default. If `*life_packets*` is explicitly configured, it defaults + to 10% less than that. [`0` or `life_packets / 1.1`] |.life_packets |[->] |Maximum number of packets processed before CHILD_SA gets closed. Usually this hard packets limit is never reached, because the CHILD_SA gets rekeyed before. If that fails for whatever reason, this limit closes the CHILD_SA. The default - is 10% more than `*rekey_bytes*`. [`1.1 * rekey_packets`] + is 10% more than `*rekey_packets*`. [`1.1 * rekey_packets`] |.rand_packets |[->] |Packet range from which to choose a random value to subtract from `*rekey_packets*`.