Page MenuHomeVyOS Platform

ipsec: support disabling rekey of CHILD_SA
Needs testing, LowPublic

Description

T5139 provided support for disabling rekey of IKE_SAs. We should also extend this to CHILD_SAs.

I propose adding a "rekey disable" option to esp-group which will disable all local-initiated rekeys based on time limits, byte limits, and packet limits. Disabling rekeying does not prevent the other side from initiating a re-key. Configured lifetime limits still apply and if the other side fails to re-key before a limit is reached, the SA will expire and the connection will be torn down. The default will be "rekey enable", so no behavior will change with existing configurations.

Disabling re-keying could be useful particularly for road warrior configurations, where it is often better to let clients drive the rekeying behavior so that clients can plan ahead sleep intervals, maximize battery life, etc.

As part of this change I also propose updating remote-access to have closer parity to site-to-site in terms of settings honored from the ike-group and esp-group. remote-access currently does not honor life_bytes/life_packets or DPD intervals. Additionally, the esp-group "lifetime" has a subtly different meaning for remote-access which may have been an oversight in the initial implementation.

Details

Version
-
Is it a breaking change?
Behavior change
Issue type
Feature (new functionality)

Event Timeline

lucasec created this object in space S1 VyOS Public.
lucasec changed the task status from Open to In progress.Jul 21 2024, 5:02 AM
lucasec claimed this task.
c-po changed the task status from In progress to Needs testing.Jul 22 2024, 10:28 AM
c-po moved this task from Open to Finished on the VyOS 1.5 Circinus board.