Maniphest T3764

Unconfigurable IKE and ESP lifetime
Closed, ResolvedPublicBUG
Actions

Assigned To

Authored By

	Unknown Object (User)
	Aug 18 2021, 1:21 PM

Tags

Referenced Files

None

Subscribers

Description

In rewritten IPSec implementation missed `lifetime options for IKE and ESP
From strongswan documentation, it a bit modified and should be:
ipsec.conf (old)
ikelifetime=3h (strongswan default)
strongswan.conf

connections.<conn>.rekey_time=170m (default: 4h)
connections.<conn>.over_time=10m (default: 10% of rekey_time)
see ExpiryRekey for details

By default, it adds about 10% to rekey_time, so with defined rekey_time=3600s we can see in ISAKMP value 3960

ESP phase2:
ipsec.conf (old)
lifetime=1h (strongswan default)
strongswan.conf

connections.<conn>.children.<child>.life_time=1h (strongswan default: 110% * rekey_time)
but configuring
connections.<conn>.children.<child>.rekey_time (default: 1h, so setting life_time to 1h without changing this, will disable rekeying)
instead is preferred, see below and ExpiryRekey for details

https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey

Details

Version: 1.4-rolling-202108161638
Is it a breaking change?: Perfectly compatible

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Resolved		sarthurdev	T2816 Rewrite IPsec scripts with the new XML/Python approach
		Resolved	BUG	c-po	T3764 Unconfigurable IKE and ESP lifetime

Event Timeline

Unknown Object (User) created this task.Aug 18 2021, 1:21 PM

Viacheslav added a parent task: T2816: Rewrite IPsec scripts with the new XML/Python approach.Aug 18 2021, 1:24 PM

pasik subscribed.Aug 18 2021, 2:47 PM

c-po assigned this task to sarthurdev.Aug 18 2021, 3:22 PM

c-po claimed this task.Aug 18 2021, 7:07 PM

c-po added a subscriber: sarthurdev.

c-po moved this task from Open to In Progress on the VyOS 1.4 Sagitta board.Aug 19 2021, 8:53 AM

c-po mentioned this in rVYOSONEX7a873eb6ecfa: ipsec: T3764: bugfix missing IKE and ESP lifetime values.Aug 19 2021, 10:03 AM

c-po closed this task as Resolved.Aug 19 2021, 10:03 AM

c-po triaged this task as High priority.

c-po edited a custom field.

c-po edited a custom field.

c-po changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.

c-po mentioned this in rVYOSONEX1d221c04b225: ipsec: T3764: add additional quantifier for IKE and ESP lifetime.Aug 19 2021, 10:36 AM

c-po mentioned this in rVYOSONEX95955aa9a729: ipsec: dmvpn: T3764: bugfix mixed up IKE/ESP lifetime variable.

c-po mentioned this in rVYOSONEX8114975668ac: smoketest: ipsec: T3764: extend testcases for IKE/ESP lifetime.

c-po moved this task from In Progress to Finished on the VyOS 1.4 Sagitta board.Sep 19 2021, 7:04 AM