Set the rekey time to 1 hour

The default rekey time is "never", which means that once 2^32 packets are sent over a connection, it is dead. Fix this by rekeying every now and then. 1 hour is roughly the time it takes to send 2^32 128-byte packets over a gigabit link.
flannel-io · May 17, 2021 · 13b45ef · 13b45ef
1 parent f4d044b
commit 13b45ef
Showing 1 changed file with 9 additions and 9 deletions.
diff --git a/backend/ipsec/handle_charon.go b/backend/ipsec/handle_charon.go
@@ -156,15 +156,15 @@ func (charon *CharonIKEDaemon) LoadConnection(localLease, remoteLease *subnet.Le
 
 	childConfMap := make(map[string]goStrongswanVici.ChildSAConf)
 	childSAConf := goStrongswanVici.ChildSAConf{
-		Local_ts:     []string{localLease.Subnet.String()},
-		Remote_ts:    []string{remoteLease.Subnet.String()},
-		ESPProposals: []string{charon.espProposal},
-		StartAction:  "start",
-		CloseAction:  "trap",
-		DpdAction:    "restart",
-		Mode:         "tunnel",
-		ReqID:        reqID,
-		//		RekeyTime:     rekeyTime,
+		Local_ts:      []string{localLease.Subnet.String()},
+		Remote_ts:     []string{remoteLease.Subnet.String()},
+		ESPProposals:  []string{charon.espProposal},
+		StartAction:   "start",
+		CloseAction:   "trap",
+		DpdAction:     "restart",
+		Mode:          "tunnel",
+		ReqID:         reqID,
+		RekeyTime:     "1h",
 		InstallPolicy: "no",
 	}