[strongSwan] best practice for IKEv2 lifetimes

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Thu Mar 8 11:43:59 CET 2018 

Hi,

Set the correct life time locally and a sizeable margintime.
That works around the issue of bad administration on the other end. If they set it up right, the lifetime is exactly the same as on your side, the margintime makes a collision unlikely.
If the lifetime on your side is less than on their side, you rekey earlier than them, so no problem.
If the lifetime on their side is less than on your side, they rekey earlier than you, so no problem.
For the rekeying itself, use a rekeyfuzz value that results in a time span of several minutes.

You can try using make then break (search the man page for strongswan.conf) for IKEv2. If it works with CISCO, then it's fine.
Otherwise, you'll have to make do with that. There were some commits merged into master a couple of versions ago that make auto=route work better with IKEv2 during rekeyings and reauthentication,
so this might be the proper solution for you.

There are different settings for IKE SA and IPsec SA rekeyings. They're a little bit obscurely described on the man page for ipsec.conf, but that should not be an issue. The bottom of the man page should help you tell the difference.

Kind regards

Noel

On 07.03.2018 15:56, Waldemar Brodkorb wrote:
> Hi,
>
> We are using Strongswan 5.5.1 on Debian 9 with IKEv2.
> The other sides are Cisco ISR 2900 routers. The connection works
> fine, but sometimes we have a disconnect and the tunnels on the
> Cisco side marked as down. After /etc/init.d/ipsec restart
> everything works again.
>
> In the early days when I started using IPsec this always meant to
> be a difference in the lifetime configured for IKE SA or IPsec SA.
>
> I am new to IKEv2 and started investigating the problem, the RFC7296
> clearly states: "A difference between IKEv1 and IKEv2 is that in
> IKEv1 SA lifetimes were negotiated.  In IKEv2, each end of the SA is
> responsible for enforcing its own lifetime policy on the SA and
> rekeying the SA when necessary.  If the two ends have different
> lifetime policies, the end with the shorter lifetime will end up
> always being the one to request the rekeying."
>
> What is best practice to define a lifetime? 
> Should it be defined on the Cisco side or on the Strongswan side?
> Or on both sides different to avoid simultaneous rekeying?
> Strongswan has some options for jittering the lifetime, but I think
> Cisco side does not have it.
> What if I want IKE SA rekeying after 24 hours and IPsec SA rekeying
> after 1 hours?
>
> We use ipsec.conf, our template looks like this for now:
> config setup
>       # Enable debug logs:
>         #charondebug="ike 2, cfg 2"
>         charonstart=yes
> conn %default
>         ikelifetime=1440m
>         keylife=60m
>         ike=aes256-sha512-modp4096
>         esp=aes256-sha512
>         rekeymargin=3m
>         keyingtries=1
>         mobike=no
>         keyexchange=ikev2
>         authby=rsasig
>
> conn host-vpn1
>         leftcert=<%= @fqdn %>.pem
>         left=%any
>         right=<%= @router1 %>
>         rightid=%any
>         type=transport
>         auto=add
>
> conn host-vpn2
>         leftcert=<%= @fqdn %>.pem
>         left=%any
>         right=<%= @router2 %>
>         rightid=%any
>         type=transport
>         auto=add
>
> Should I better add "reauth = no" to avoid short connection outage and
> just explicitely enable "rekey = yes" and "rekeyfuzz = 100%" to avoid
> rekeying of both tunnels in the same timeframe?
>
> best regards
>  Waldemar

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180308/d5376d3a/attachment.sig>

More information about the Users mailing list