Todo #11219
closedImprove IPsec GUI options for P1/P2 reauth/rekey
100%
Description
Additional options are available to control for P1 and P2 renegotiation but we either calculate them or accept the defaults. Somewhat related to #10176 and similar issues with (re)negotiation, and the current P1 layout is a bit confusing for users who are used to working with total lifetime values.
Some changes could be made for consistency as well. What we should end up with is:
- IKE SA / Phase 1
- Life Time -- Remove Over Time and change to Life Time. Hard upper limit on IKE SA life time.
- Take this value and calculate others based on it (e.g. Over Time as 10%). This way users don't have to manually do the math if they want a specific total Life Time.
- If empty, calculated based on max of Rekey/Reauth Time (110%)
- Add input validation to prevent user from setting Rekey/Reauth time to the same value as Life Time
- Add input validation to prevent user from setting Rekey/Reauth time a larger value than Life Time
- Rekey Time
- 0 to disable and if blank, use 90% lifetime when using IKEv2
- Reauth Time
- 0 to disable and if blank, use 90% lifetime when using IKEv1
- Rand Time -- A random value subtracted from rekey/reauth time to avoid simultaneous renegotiation.
- Current value is empty which defaults to 10% of Life Time.
- 0 to disable, but warn against disabling.
- Life Time -- Remove Over Time and change to Life Time. Hard upper limit on IKE SA life time.
- Child SA / Phase 2
- Life Time -- Same as now but warn it is a hard upper limit, similar to P1.
- If empty, defaults to 110% of Rekey Time
- If both Rekey Time and Life Time are empty, default to 3960s.
- Add input validation to prevent user from setting Rekey time to the same value as Life Time
- Rekey Time -- Time at which to rekey the child SA entry.
- Currently calculated as 90% of Life Time.
- 0 to disable rekeying, but warn against disabling.
- If empty, default to 90% of Life Time.
- If both Rekey Time and Life Time are empty, default to 3600s.
- Rand Time -- A random value subtracted from rekey time to avoid simultaneous renegotiation.
- Currently calculated as 10% of Life Time.
- 0 to disable, but warn against disabling.
- If empty, then take the difference of Life Time and Rekey Time.
- No effect if rekey is disabled
- Life Time -- Same as now but warn it is a hard upper limit, similar to P1.
Needs upgrade code to change existing options into this new model, take into consideration changes which have already been made in upgrade_199_to_200()
.
Updated by Jim Pingle almost 4 years ago
- Status changed from In Progress to Feedback
- % Done changed from 0 to 100
I just pushed a set of changes to address all of the above points. GUI fields are now present in both P1 and P2 as laid out in the description. On upgrade, values are properly derived, and also when writing out the configuration. The only thing the user must fill in is the P1/P2 lifetime and the rest can be calculated, or they can fine tune the values however they like.
Worked well in testing here, but needs checked against a wider variety of configurations.
Updated by Florin Samareanu almost 4 years ago
I’ve been testing this using system patches for 12 hours+ and it seems to work fine. P1 is rekey, for p2 only life time is entered. All 4 vti tunnels came back up fine after applying the patch, editing/saving each p1/p2 definition and rebooting the firewalls.
Thank you.
Updated by Jim Pingle over 3 years ago
When testing one thing I'm looking for is that the GUI settings put in manually correspond with the values in /var/etc/ipsec/swanctl.conf
and agree with the values shown as placeholders in the GUI for the P1/P2 Lifetime, Rekey, Reauth, and Rand times.
Updated by Renato Botelho over 3 years ago
- Status changed from Feedback to Resolved