Page MenuHomeVyOS Platform

IKE life-time should start from 0 for disable rekey
Closed, ResolvedPublicFEATURE REQUEST

Description

IKE lifetime should start from 0 for disabling rekey
https://github.com/vyos/vyos-1x/blob/b65296a0ff39e66d87e916971477cce351f6d5a5/interface-definitions/vpn-ipsec.xml.in#L360-L364

Request from the forum

vyos@r14# set vpn ipsec ike-group IKE lifetime 
Possible completions:
   <30-86400>           IKE lifetime in seconds

Details

Version
VyOS 1.4-rolling-202303310716
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

Viacheslav changed the task status from Open to In progress.Apr 3 2023, 10:25 AM
Viacheslav claimed this task.
Viacheslav changed the subtype of this task from "Bug" to "Feature Request".

PR https://github.com/vyos/vyos-1x/pull/1933

set vpn ipsec authentication psk MY-PEER id '192.0.2.1'
set vpn ipsec authentication psk MY-PEER id '192.0.2.10'
set vpn ipsec authentication psk MY-PEER secret 'SeCrEt'
set vpn ipsec esp-group ESP proposal 1
set vpn ipsec ike-group IKE key-exchange 'ikev2'
set vpn ipsec ike-group IKE lifetime '0'
set vpn ipsec ike-group IKE proposal 1 dh-group '14'
set vpn ipsec ike-group IKE proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 1 hash 'sha256'
set vpn ipsec interface 'eth1'
set vpn ipsec site-to-site peer MY-PEER authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer MY-PEER ike-group 'IKE'
set vpn ipsec site-to-site peer MY-PEER local-address '192.0.2.1'
set vpn ipsec site-to-site peer MY-PEER remote-address '192.0.2.10'
set vpn ipsec site-to-site peer MY-PEER tunnel 1 esp-group 'ESP'
set vpn ipsec site-to-site peer MY-PEER tunnel 1 local prefix '10.0.2.0/25'
set vpn ipsec site-to-site peer MY-PEER tunnel 1 remote prefix '10.5.5.0/25'

Expected `no rekeying

vyos@r14:~$ sudo swanctl -L
MY-PEER: IKEv2, no reauthentication, no rekeying, dpd delay 30s
  local:  192.0.2.1
  remote: 192.0.2.10
  local pre-shared key authentication:
  remote pre-shared key authentication:
    id: %any
  MY-PEER-tunnel-1: TUNNEL, rekeying every 3272s, dpd action is none
    local:  10.0.2.0/25
    remote: 10.5.5.0/25
vyos@r14:~$
Viacheslav moved this task from Open to Finished on the VyOS 1.4 Sagitta board.

Will be available in the next rolling release.