Actions
Todo #11219
closed
Improve IPsec GUI options for P1/P2 reauth/rekey
Start date:
01/04/2021
Due date:
% Done:
100%
Estimated time:
Plus Target Version:
Release Notes:
Description
Additional options are available to control for P1 and P2 renegotiation but we either calculate them or accept the defaults. Somewhat related to #10176 and similar issues with (re)negotiation, and the current P1 layout is a bit confusing for users who are used to working with total lifetime values.
Some changes could be made for consistency as well. What we should end up with is:
- IKE SA / Phase 1
- Life Time -- Remove Over Time and change to Life Time. Hard upper limit on IKE SA life time.
- Take this value and calculate others based on it (e.g. Over Time as 10%). This way users don't have to manually do the math if they want a specific total Life Time.
- If empty, calculated based on max of Rekey/Reauth Time (110%)
- Add input validation to prevent user from setting Rekey/Reauth time to the same value as Life Time
- Add input validation to prevent user from setting Rekey/Reauth time a larger value than Life Time
- Rekey Time
- 0 to disable and if blank, use 90% lifetime when using IKEv2
- Reauth Time
- 0 to disable and if blank, use 90% lifetime when using IKEv1
- Rand Time -- A random value subtracted from rekey/reauth time to avoid simultaneous renegotiation.
- Current value is empty which defaults to 10% of Life Time.
- 0 to disable, but warn against disabling.
- Life Time -- Remove Over Time and change to Life Time. Hard upper limit on IKE SA life time.
- Child SA / Phase 2
- Life Time -- Same as now but warn it is a hard upper limit, similar to P1.
- If empty, defaults to 110% of Rekey Time
- If both Rekey Time and Life Time are empty, default to 3960s.
- Add input validation to prevent user from setting Rekey time to the same value as Life Time
- Rekey Time -- Time at which to rekey the child SA entry.
- Currently calculated as 90% of Life Time.
- 0 to disable rekeying, but warn against disabling.
- If empty, default to 90% of Life Time.
- If both Rekey Time and Life Time are empty, default to 3600s.
- Rand Time -- A random value subtracted from rekey time to avoid simultaneous renegotiation.
- Currently calculated as 10% of Life Time.
- 0 to disable, but warn against disabling.
- If empty, then take the difference of Life Time and Rekey Time.
- No effect if rekey is disabled
- Life Time -- Same as now but warn it is a hard upper limit, similar to P1.
Needs upgrade code to change existing options into this new model, take into consideration changes which have already been made in upgrade_199_to_200().
Updated by 
Updated by 
Updated by
Actions