[strongSwan] best practice for IKEv2 lifetimes

Waldemar Brodkorb wbx at openadk.org
Wed Mar 7 15:56:57 CET 2018 

Hi,

We are using Strongswan 5.5.1 on Debian 9 with IKEv2.
The other sides are Cisco ISR 2900 routers. The connection works
fine, but sometimes we have a disconnect and the tunnels on the
Cisco side marked as down. After /etc/init.d/ipsec restart
everything works again.

In the early days when I started using IPsec this always meant to
be a difference in the lifetime configured for IKE SA or IPsec SA.

I am new to IKEv2 and started investigating the problem, the RFC7296
clearly states: "A difference between IKEv1 and IKEv2 is that in
IKEv1 SA lifetimes were negotiated.  In IKEv2, each end of the SA is
responsible for enforcing its own lifetime policy on the SA and
rekeying the SA when necessary.  If the two ends have different
lifetime policies, the end with the shorter lifetime will end up
always being the one to request the rekeying."

What is best practice to define a lifetime? 
Should it be defined on the Cisco side or on the Strongswan side?
Or on both sides different to avoid simultaneous rekeying?
Strongswan has some options for jittering the lifetime, but I think
Cisco side does not have it.
What if I want IKE SA rekeying after 24 hours and IPsec SA rekeying
after 1 hours?

We use ipsec.conf, our template looks like this for now:
config setup
      # Enable debug logs:
        #charondebug="ike 2, cfg 2"
        charonstart=yes
conn %default
        ikelifetime=1440m
        keylife=60m
        ike=aes256-sha512-modp4096
        esp=aes256-sha512
        rekeymargin=3m
        keyingtries=1
        mobike=no
        keyexchange=ikev2
        authby=rsasig

conn host-vpn1
        leftcert=<%= @fqdn %>.pem
        left=%any
        right=<%= @router1 %>
        rightid=%any
        type=transport
        auto=add

conn host-vpn2
        leftcert=<%= @fqdn %>.pem
        left=%any
        right=<%= @router2 %>
        rightid=%any
        type=transport
        auto=add

Should I better add "reauth = no" to avoid short connection outage and
just explicitely enable "rekey = yes" and "rekeyfuzz = 100%" to avoid
rekeying of both tunnels in the same timeframe?

best regards
 Waldemar

More information about the Users mailing list