Project

General

Profile

Todo #11219

Updated by Jim Pingle 11 months ago

Additional options are available to control for P1 and P2 renegotiation but we either calculate them or accept the defaults. Somewhat related to #10176 and similar issues with (re)negotiation, and the current P1 layout is a bit confusing for users who are used to working with total lifetime values. 

 Some changes could be made for consistency as well. What we should end up with is: 

 * IKE SA / Phase 1 

   * Life Time -- Remove Over Time and change to Life Time. Hard upper limit on IKE SA life time. 

     * Take this value and calculate others based on it (e.g. Over Time as 10%). This way users don't have to manually do the math if they want a specific total Life Time. 
     * If empty, calculated based on max of Rekey/Reauth Time (110%) 
     * Add input validation to prevent user from setting Rekey/Reauth time to the same value as Life Time 
     * Add input validation to prevent user from setting Rekey/Reauth time a larger value than Life Time 

   * Rekey Time 

     -- Same as now 
   * 0 to disable and if blank, use 90% lifetime when using IKEv2 

   * Reauth Time 

     * 0 to disable and if blank, use 90% lifetime when using IKEv1 

   -- Same as now 
   * Rand Time -- A random value subtracted from rekey/reauth time to avoid simultaneous renegotiation. 

     * Current value is empty which defaults to 10% of Life Time. 
     * 0 to disable, but warn against disabling. 

 * Child SA / Phase 2 

   * Life Time -- Same as now but warn it is a hard upper limit, similar to P1. 

     * If empty, defaults to 110% of Rekey Time 
     * If both Rekey Time and Life Time are empty, default to 3960s. 
     * Add input validation to prevent user from setting Rekey time to the same value as Life Time 

   * Rekey Time -- Time at which to rekey the child SA entry.  

     * Currently calculated as 90% of Life Time. 
     * 0 to disable rekeying, but warn against disabling. 
     * If empty, default to 90% of Life Time. 
     * If both Rekey Time and Life Time are empty, default to 3600s. 

   * Rand Time -- A random value subtracted from rekey time to avoid simultaneous renegotiation. 

     * Currently calculated as 10% of Life Time. 
     * 0 to disable, but warn against disabling. 
     * If empty, then take the difference of Life Time and Rekey Time. 
     * No effect if rekey is disabled 

 Needs upgrade code to change existing options into this new model, take into consideration changes which have already been made in @upgrade_199_to_200()@. 

Back