[strongSwan] best practice for IKEv2 lifetimes
Waldemar Brodkorb
wbx at openadk.org
Fri Mar 23 14:03:56 CET 2018
Hi Noel,
Noel Kuntze wrote,
> Hi,
>
> Set the correct life time locally and a sizeable margintime.
> That works around the issue of bad administration on the other end. If they set it up right, the lifetime is exactly the same as on your side, the margintime makes a collision unlikely.
> If the lifetime on your side is less than on their side, you rekey earlier than them, so no problem.
> If the lifetime on their side is less than on your side, they rekey earlier than you, so no problem.
> For the rekeying itself, use a rekeyfuzz value that results in a time span of several minutes.
>
> You can try using make then break (search the man page for strongswan.conf) for IKEv2. If it works with CISCO, then it's fine.
> Otherwise, you'll have to make do with that. There were some commits merged into master a couple of versions ago that make auto=route work better with IKEv2 during rekeyings and reauthentication,
> so this might be the proper solution for you.
>
> There are different settings for IKE SA and IPsec SA rekeyings. They're a little bit obscurely described on the man page for ipsec.conf, but that should not be an issue. The bottom of the man page should help you tell the difference.
Thanks. Following seems to work stable now:
config setup
# Enable debug logs:
#charondebug="ike 2, cfg 2"
charonstart=yes
conn %default
ikelifetime=720m
keylife=120m
ike=aes256-sha512-modp4096
esp=aes256-sha512
rekeymargin=3m
keyingtries=1
mobike=no
keyexchange=ikev2
reauth=no
authby=rsasig
conn host-vpn1
leftcert=<%= @fqdn %>.pem
left=%any
right=<%= @router1 %>
rightid=%any
type=transport
auto=route
conn host-vpn2
leftcert=<%= @fqdn %>.pem
left=%any
right=<%= @router2 %>
rightid=%any
type=transport
auto=route
We changed the lifetime on the Cisco side to use 4 hours.
So the Linux side is doing the rekeying.
best regards
Waldemar
More information about the Users
mailing list