Re: [strongSwan] best practice for IKEv2 lifetimes
Hi Noel, Noel Kuntze wrote, > Hi, > > Set the correct life time locally and a sizeable margintime. > That works around the issue of bad administration on the other end. If they > set it up right, the lifetime is exactly the same as on your side, the > margintime makes a collision unlikely. > If the lifetime on your side is less than on their side, you rekey earlier > than them, so no problem. > If the lifetime on their side is less than on your side, they rekey earlier > than you, so no problem. > For the rekeying itself, use a rekeyfuzz value that results in a time span of > several minutes. > > You can try using make then break (search the man page for strongswan.conf) > for IKEv2. If it works with CISCO, then it's fine. > Otherwise, you'll have to make do with that. There were some commits merged > into master a couple of versions ago that make auto=route work better with > IKEv2 during rekeyings and reauthentication, > so this might be the proper solution for you. > > There are different settings for IKE SA and IPsec SA rekeyings. They're a > little bit obscurely described on the man page for ipsec.conf, but that > should not be an issue. The bottom of the man page should help you tell the > difference. Thanks. Following seems to work stable now: config setup # Enable debug logs: #charondebug="ike 2, cfg 2" charonstart=yes conn %default ikelifetime=720m keylife=120m ike=aes256-sha512-modp4096 esp=aes256-sha512 rekeymargin=3m keyingtries=1 mobike=no keyexchange=ikev2 reauth=no authby=rsasig conn host-vpn1 leftcert=<%= @fqdn %>.pem left=%any right=<%= @router1 %> rightid=%any type=transport auto=route conn host-vpn2 leftcert=<%= @fqdn %>.pem left=%any right=<%= @router2 %> rightid=%any type=transport auto=route We changed the lifetime on the Cisco side to use 4 hours. So the Linux side is doing the rekeying. best regards Waldemar
Re: [strongSwan] best practice for IKEv2 lifetimes
Hi, Set the correct life time locally and a sizeable margintime. That works around the issue of bad administration on the other end. If they set it up right, the lifetime is exactly the same as on your side, the margintime makes a collision unlikely. If the lifetime on your side is less than on their side, you rekey earlier than them, so no problem. If the lifetime on their side is less than on your side, they rekey earlier than you, so no problem. For the rekeying itself, use a rekeyfuzz value that results in a time span of several minutes. You can try using make then break (search the man page for strongswan.conf) for IKEv2. If it works with CISCO, then it's fine. Otherwise, you'll have to make do with that. There were some commits merged into master a couple of versions ago that make auto=route work better with IKEv2 during rekeyings and reauthentication, so this might be the proper solution for you. There are different settings for IKE SA and IPsec SA rekeyings. They're a little bit obscurely described on the man page for ipsec.conf, but that should not be an issue. The bottom of the man page should help you tell the difference. Kind regards Noel On 07.03.2018 15:56, Waldemar Brodkorb wrote: > Hi, > > We are using Strongswan 5.5.1 on Debian 9 with IKEv2. > The other sides are Cisco ISR 2900 routers. The connection works > fine, but sometimes we have a disconnect and the tunnels on the > Cisco side marked as down. After /etc/init.d/ipsec restart > everything works again. > > In the early days when I started using IPsec this always meant to > be a difference in the lifetime configured for IKE SA or IPsec SA. > > I am new to IKEv2 and started investigating the problem, the RFC7296 > clearly states: "A difference between IKEv1 and IKEv2 is that in > IKEv1 SA lifetimes were negotiated. In IKEv2, each end of the SA is > responsible for enforcing its own lifetime policy on the SA and > rekeying the SA when necessary. If the two ends have different > lifetime policies, the end with the shorter lifetime will end up > always being the one to request the rekeying." > > What is best practice to define a lifetime? > Should it be defined on the Cisco side or on the Strongswan side? > Or on both sides different to avoid simultaneous rekeying? > Strongswan has some options for jittering the lifetime, but I think > Cisco side does not have it. > What if I want IKE SA rekeying after 24 hours and IPsec SA rekeying > after 1 hours? > > We use ipsec.conf, our template looks like this for now: > config setup > # Enable debug logs: > #charondebug="ike 2, cfg 2" > charonstart=yes > conn %default > ikelifetime=1440m > keylife=60m > ike=aes256-sha512-modp4096 > esp=aes256-sha512 > rekeymargin=3m > keyingtries=1 > mobike=no > keyexchange=ikev2 > authby=rsasig > > conn host-vpn1 > leftcert=<%= @fqdn %>.pem > left=%any > right=<%= @router1 %> > rightid=%any > type=transport > auto=add > > conn host-vpn2 > leftcert=<%= @fqdn %>.pem > left=%any > right=<%= @router2 %> > rightid=%any > type=transport > auto=add > > Should I better add "reauth = no" to avoid short connection outage and > just explicitely enable "rekey = yes" and "rekeyfuzz = 100%" to avoid > rekeying of both tunnels in the same timeframe? > > best regards > Waldemar signature.asc Description: OpenPGP digital signature
[strongSwan] best practice for IKEv2 lifetimes
Hi, We are using Strongswan 5.5.1 on Debian 9 with IKEv2. The other sides are Cisco ISR 2900 routers. The connection works fine, but sometimes we have a disconnect and the tunnels on the Cisco side marked as down. After /etc/init.d/ipsec restart everything works again. In the early days when I started using IPsec this always meant to be a difference in the lifetime configured for IKE SA or IPsec SA. I am new to IKEv2 and started investigating the problem, the RFC7296 clearly states: "A difference between IKEv1 and IKEv2 is that in IKEv1 SA lifetimes were negotiated. In IKEv2, each end of the SA is responsible for enforcing its own lifetime policy on the SA and rekeying the SA when necessary. If the two ends have different lifetime policies, the end with the shorter lifetime will end up always being the one to request the rekeying." What is best practice to define a lifetime? Should it be defined on the Cisco side or on the Strongswan side? Or on both sides different to avoid simultaneous rekeying? Strongswan has some options for jittering the lifetime, but I think Cisco side does not have it. What if I want IKE SA rekeying after 24 hours and IPsec SA rekeying after 1 hours? We use ipsec.conf, our template looks like this for now: config setup # Enable debug logs: #charondebug="ike 2, cfg 2" charonstart=yes conn %default ikelifetime=1440m keylife=60m ike=aes256-sha512-modp4096 esp=aes256-sha512 rekeymargin=3m keyingtries=1 mobike=no keyexchange=ikev2 authby=rsasig conn host-vpn1 leftcert=<%= @fqdn %>.pem left=%any right=<%= @router1 %> rightid=%any type=transport auto=add conn host-vpn2 leftcert=<%= @fqdn %>.pem left=%any right=<%= @router2 %> rightid=%any type=transport auto=add Should I better add "reauth = no" to avoid short connection outage and just explicitely enable "rekey = yes" and "rekeyfuzz = 100%" to avoid rekeying of both tunnels in the same timeframe? best regards Waldemar
