[Openswan dev] Re: [Openswan Users] Regarding the life time for IKE SA and IPsecSA

Tue Jan 17 10:43:16 CET 2006

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Shi Lang wrote:
> IKE SA = 1 hour by default:
> 
> 1.      freeswan
> 2.      openswan
> 3.      strongswan

I did some police work.
RFC2407 specifies in:

4.5 IPSEC Security Association Attributes

...
           If unspecified, the default value shall be assumed to be
           28800 seconds (8 hours).
...

So default value for IPSEC SA is selected for reason.

And I found out that f.ex juniper has same defaults as *swan.

Another issue is short IKE SA lifetime. It seems to be common
interoperability issue that responder has shorter IKE lifetime than
initiator.

I attach patch to address that for known windows connections. Same patch
 removes things for type=transport and rightsubnet which should be fixed
for 2.4.5 so it can be defined.

- --
Tuomo Soini <tis at foobar.fi>
Linux and network services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Foobar - http://enigmail.mozdev.org

iD8DBQFDzK4kTlrZKzwul1ERAnH0AJ97sibQ3wUBtmGmYVPFV6d/VWUWSwCgp3MR
NsHPi4BDejQvqHSb4nxUofY=
=jhTk
-----END PGP SIGNATURE-----
-------------- next part --------------

--- openswan-2.4.5rc4/programs/examples/l2tp-cert.conf.in.lifetime	2005-11-01 20:10:07.000000000 +0200
+++ openswan-2.4.5rc4/programs/examples/l2tp-cert.conf.in	2006-01-17 10:37:29.000000000 +0200
@@ -10,18 +10,20 @@
 	authby=rsasig
 	pfs=no
 	auto=add
-        # we cannot rekey for %any, let client rekey
+	# we cannot rekey for %any, let client rekey
 	rekey=no
-        # Do not enable the line below. It is implicitely used, and
-        # specifying it will currently break when using nat-t.
-        # type=transport. See http://bugs.xelerance.com/view.php?id=466
+	# Set ikelifetime and keylife to same defaults windows has
+	ikelifetime=8h
+	keylife=1h
+	# l2tp-over-ipsec is transport mode
+	type=transport
 	#
 	left=%defaultroute
-        # or you can use: left=YourIPAddress
+	# or you can use: left=YourIPAddress
 	leftrsasigkey=%cert
 	leftcert=/etc/ipsec.d/certs/YourGatewayCertHere.pem
 	# For updated Windows 2000/XP clients,
-        # to support old clients as well, use leftprotoport=17/%any
+	# to support old clients as well, use leftprotoport=17/%any
 	leftprotoport=17/1701
 	#
 	# The remote user.
--- openswan-2.4.5rc4/programs/examples/l2tp-cert-orgWIN2KXP.conf.in.lifetime	2005-11-01 20:10:07.000000000 +0200
+++ openswan-2.4.5rc4/programs/examples/l2tp-cert-orgWIN2KXP.conf.in	2006-01-17 10:37:42.000000000 +0200
@@ -8,12 +8,14 @@
 	authby=rsasig
 	pfs=no
 	auto=add
-        # we cannot rekey for %any, let client rekey
-        rekey=no
-        # Do not enable the line below. It is implicitely used, and
-        # specifying it will currently break when using nat-t.
-        # type=transport. See http://bugs.xelerance.com/view.php?id=466
-        #
+	# we cannot rekey for %any, let client rekey
+	rekey=no
+	# Set ikelifetime and keylife to same defaults windows has
+	ikelifetime=8h
+	keylife=1h
+	# l2tp-over-ipsec is transport mode
+	type=transport
+	#
 	left=%defaultroute
 	# or you can use: left=YourIPAddress
 	leftrsasigkey=%cert
@@ -25,8 +27,8 @@
 	# The remote user.
 	#
 	right=%any
-        rightca=%same
+	rightca=%same
 	rightrsasigkey=%cert
 	rightprotoport=17/1701
-        rightsubnet=vhost:%priv,%no
+	rightsubnet=vhost:%priv,%no
 
--- openswan-2.4.5rc4/programs/examples/l2tp-psk.conf.in.lifetime	2005-11-24 10:37:43.000000000 +0200
+++ openswan-2.4.5rc4/programs/examples/l2tp-psk.conf.in	2006-01-17 10:37:56.000000000 +0200
@@ -1,5 +1,5 @@
 conn L2TP-PSK-NAT
-        rightsubnet=vhost:%priv
+	rightsubnet=vhost:%priv
 	also=L2TP-PSK-noNAT
 
 conn L2TP-PSK-noNAT
@@ -12,17 +12,21 @@
 	# Use a Preshared Key. Disable Perfect Forward Secrecy.
 	#
 	# PreSharedSecret needs to be specified in /etc/ipsec.secrets as
-	# YourIPAddress  %any: "sharedsecret"
+	# YourIPAddress	 %any: "sharedsecret"
 	authby=secret
 	pfs=no
 	auto=add
 	keyingtries=3
 	# we cannot rekey for %any, let client rekey
 	rekey=no
+	# Set ikelifetime and keylife to same defaults windows has
+	ikelifetime=8h
+	keylife=1h
+	# l2tp-over-ipsec is transport mode
 	type=transport
 	#
-        left=%defaultroute
-        # or you can use: left=YourIPAddress
+	left=%defaultroute
+	# or you can use: left=YourIPAddress
 	#
 	# For updated Windows 2000/XP clients,
 	# to support old clients as well, use leftprotoport=17/%any
--- openswan-2.4.5rc4/programs/examples/l2tp-psk-orgWIN2KXP.conf.in.lifetime	2005-11-01 20:10:07.000000000 +0200
+++ openswan-2.4.5rc4/programs/examples/l2tp-psk-orgWIN2KXP.conf.in	2006-01-17 10:38:08.000000000 +0200
@@ -7,15 +7,17 @@
 	#
 	authby=secret
 	pfs=no
-        auto=add
-        # we cannot rekey for %any, let client rekey
-        rekey=no
-        # Do not enable the line below. It is implicitely used, and
-        # specifying it will currently break when using nat-t.
-        # type=transport. See http://bugs.xelerance.com/view.php?id=466
-        #
-        left=%defaultroute
-        # or you can use: left=YourIPAddress
+	auto=add
+	# we cannot rekey for %any, let client rekey
+	rekey=no
+	# Set ikelifetime and keylife to same defaults windows has
+	ikelifetime=8h
+	keylife=1h
+	# l2tp-over-ipsec is transport mode
+	type=transport
+	#
+	left=%defaultroute
+	# or you can use: left=YourIPAddress
 	#
 	# Required for original (non-updated) Windows 2000/XP clients.
 	# to support new clients as well, use leftprotoport=17/%any
@@ -25,4 +27,4 @@
 	#
 	right=%any
 	rightprotoport=17/1701
-        rightsubnet=vhost:%priv,%no
+	rightsubnet=vhost:%priv,%no
