Page MenuHomeVyOS Platform
Create Task
Maniphest T3764

Unconfigurable IKE and ESP lifetime
Closed, ResolvedPublicBUG
Actions

Description

In rewritten IPSec implementation missed `lifetime options for IKE and ESP
From strongswan documentation, it a bit modified and should be:
ipsec.conf (old)
ikelifetime=3h (strongswan default)
strongswan.conf

connections.<conn>.rekey_time=170m (default: 4h)
connections.<conn>.over_time=10m (default: 10% of rekey_time)
see ExpiryRekey for details

By default, it adds about 10% to rekey_time, so with defined rekey_time=3600s we can see in ISAKMP value 3960

ESP phase2:
ipsec.conf (old)
lifetime=1h (strongswan default)
strongswan.conf

connections.<conn>.children.<child>.life_time=1h (strongswan default: 110% * rekey_time)
but configuring
connections.<conn>.children.<child>.rekey_time (default: 1h, so setting life_time to 1h without changing this, will disable rekeying)
instead is preferred, see below and ExpiryRekey for details

https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey

Details

Difficulty level
Easy (less than an hour)
Version
1.4-rolling-202108161638
Why the issue appeared?
Implementation mistake
Is it a breaking change?
Perfectly compatible

Related Objects
Search...

Event Timeline

Unknown Object (User) created this task.Aug 18 2021, 1:21 PM
Viacheslav added a parent task: T2816: Rewrite IPsec scripts with the new XML/Python approach.Aug 18 2021, 1:24 PM
pasik added a subscriber: pasik.Aug 18 2021, 2:47 PM
c-po assigned this task to sarthurdev.Aug 18 2021, 3:22 PM
c-po claimed this task.Aug 18 2021, 7:07 PM
c-po added a subscriber: sarthurdev.
c-po moved this task from Need Triage to In Progress on the VyOS 1.4 Sagitta board.Aug 19 2021, 8:53 AM
c-po closed this task as Resolved.Aug 19 2021, 10:03 AM
c-po triaged this task as High priority.
c-po changed Difficulty level from Normal (likely a few hours) to Easy (less than an hour).
c-po changed Why the issue appeared? from Will be filled on close to Implementation mistake.
c-po changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
c-po moved this task from In Progress to Finished on the VyOS 1.4 Sagitta board.Sep 19 2021, 7:04 AM