Bug #3785
closed
strongswan config being generated with ike SA lifetime set to value of ipsec SA lifetime
0%
Description
Connection entries in /var/etc/ipsec/ipsec.conf are being generated with ikelifetime set to 3600s when the GUI shows the phase 1 lifetime being 28800s.
vpn_ipsec_configure in /etc/inc/vpn.inc writes a variable called lifeline to the file for each phase 2 entry. It first sets this variable to the lifetime value of the phase 1 entry and then overwrites that with the value of the phase 2 entry.
There are 2 separate parameters for this supported by strongswan. ikelifetime and lifetime. Setting the ike values as ikelifetime and the IPsec values as lifetime in the connection should work.
Updated by Matthew Smith over 10 years ago
- Description updated (diff)
Fixed by commit fa0a1411026bcbf173fbe6d573dfc260ee883102.
https://git.pfmechanics.com/pfsense/pfsense/commit/fa0a1411026bcbf173fbe6d573dfc260ee883102
Updated by King J over 10 years ago
I think this change might have caused an issue. On August snapshots, i'm not able to negotiate IKE with another device as the IKE lifetime is transmitted as 0 seconds, which is invalid. This is confirmed by the logs on the remote device and via a packet capture captured at a point between pfSense and the remote device. I've put more details over on the snapshots forum at https://forum.pfsense.org/index.php?topic=80060.0
Updated by Matthew Smith over 10 years ago
I believe it was actually this change that caused the lifetime to be set to 0. https://github.com/pfsense/pfsense/commit/f088b8cd6a0f7a9611da41477a565e9c4b502080
If I manually set rekey = yes and restart ipsec, i see the correct lifetime being sent when the ikev1 SA is established.
Updated by Ermal Luçi
Updated by Chris Buechler over 10 years ago
- Status changed from Feedback to Resolved