Project

General

Profile

Actions

Todo #11219

closed

Improve IPsec GUI options for P1/P2 reauth/rekey

Added by Jim Pingle 11 months ago. Updated 10 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
01/04/2021
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:

Description

Additional options are available to control for P1 and P2 renegotiation but we either calculate them or accept the defaults. Somewhat related to #10176 and similar issues with (re)negotiation, and the current P1 layout is a bit confusing for users who are used to working with total lifetime values.

Some changes could be made for consistency as well. What we should end up with is:

  • IKE SA / Phase 1
    • Life Time -- Remove Over Time and change to Life Time. Hard upper limit on IKE SA life time.
      • Take this value and calculate others based on it (e.g. Over Time as 10%). This way users don't have to manually do the math if they want a specific total Life Time.
      • If empty, calculated based on max of Rekey/Reauth Time (110%)
      • Add input validation to prevent user from setting Rekey/Reauth time to the same value as Life Time
      • Add input validation to prevent user from setting Rekey/Reauth time a larger value than Life Time
    • Rekey Time
      • 0 to disable and if blank, use 90% lifetime when using IKEv2
    • Reauth Time
      • 0 to disable and if blank, use 90% lifetime when using IKEv1
    • Rand Time -- A random value subtracted from rekey/reauth time to avoid simultaneous renegotiation.
      • Current value is empty which defaults to 10% of Life Time.
      • 0 to disable, but warn against disabling.
  • Child SA / Phase 2
    • Life Time -- Same as now but warn it is a hard upper limit, similar to P1.
      • If empty, defaults to 110% of Rekey Time
      • If both Rekey Time and Life Time are empty, default to 3960s.
      • Add input validation to prevent user from setting Rekey time to the same value as Life Time
    • Rekey Time -- Time at which to rekey the child SA entry.
      • Currently calculated as 90% of Life Time.
      • 0 to disable rekeying, but warn against disabling.
      • If empty, default to 90% of Life Time.
      • If both Rekey Time and Life Time are empty, default to 3600s.
    • Rand Time -- A random value subtracted from rekey time to avoid simultaneous renegotiation.
      • Currently calculated as 10% of Life Time.
      • 0 to disable, but warn against disabling.
      • If empty, then take the difference of Life Time and Rekey Time.
      • No effect if rekey is disabled

Needs upgrade code to change existing options into this new model, take into consideration changes which have already been made in upgrade_199_to_200().

Actions

Also available in: Atom PDF