Todo #11219
Updated by Jim Pingle almost 5 years ago
Additional options are available to control for P1 and P2 renegotiation but we either calculate them or accept the defaults. Somewhat related to #10176 and similar issues with (re)negotiation, and the current P1 layout is a bit confusing for users who are used to working with total lifetime values.
Some changes could be made for consistency as well. What we should end up with is:
* IKE SA / Phase 1
* Life Time -- Remove Over Time and change to Life Time. Hard upper limit on IKE SA life time.
* Take this value and calculate others based on it (e.g. Over Time as 10%). This way users don't have to manually do the math if they want a specific total Life Time.
* If empty, calculated based on max of Rekey/Reauth Time (110%)
* Add input validation to prevent user from setting Rekey/Reauth time to the same value as Life Time
* Add input validation to prevent user from setting Rekey/Reauth time a larger value than Life Time
* Rekey Time
-- Same as now
* 0 to disable and if blank, use 90% lifetime when using IKEv2
* Reauth Time
* 0 to disable and if blank, use 90% lifetime when using IKEv1
-- Same as now
* Rand Time -- A random value subtracted from rekey/reauth time to avoid simultaneous renegotiation.
* Current value is empty which defaults to 10% of Life Time.
* 0 to disable, but warn against disabling.
* Child SA / Phase 2
* Life Time -- Same as now but warn it is a hard upper limit, similar to P1.
* If empty, defaults to 110% of Rekey Time
* If both Rekey Time and Life Time are empty, default to 3960s.
* Add input validation to prevent user from setting Rekey time to the same value as Life Time
* Rekey Time -- Time at which to rekey the child SA entry.
* Currently calculated as 90% of Life Time.
* 0 to disable rekeying, but warn against disabling.
* If empty, default to 90% of Life Time.
* If both Rekey Time and Life Time are empty, default to 3600s.
* Rand Time -- A random value subtracted from rekey time to avoid simultaneous renegotiation.
* Currently calculated as 10% of Life Time.
* 0 to disable, but warn against disabling.
* If empty, then take the difference of Life Time and Rekey Time.
* No effect if rekey is disabled
Needs upgrade code to change existing options into this new model, take into consideration changes which have already been made in @upgrade_199_to_200()@.