Bug 10346

Summary: IPSec GUI defaults are incorrect.
Product: IPFire Reporter: Tom Rymes <tomvend>
Component: ---Assignee: Assigned to nobody - feel free to grab it and work on it <nobody>
Status: CLOSED FIXED QA Contact:
Severity: - Unknown -    
Priority: - Unknown - CC: arne.fitzenreiter, michael.tremer, stefan.schantl
Version: 2Flags: michael.tremer: needinfo+
Hardware: unspecified   
OS: Unspecified   

Description Tom Rymes 2013-03-31 15:21:25 UTC 
This is a continuation of items discussed on the forum: http://forum.ipfire.org/index.php?topic=7955.0

Based on the data linked in the forum thread, including the StrongSwan Wiki (http://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey), it appears that the IKE Phase 1 key lifetime should be longer than the Phase 2 key lifetime. 

However, the default settings in the GUI are the opposite: the phase 1 default lifetime is 1 hour, and phase 2 default is 8 hours.
Comment 1 Michael Tremer 2013-04-05 11:31:57 UTC 
Where does that wiki page state that the IKE key lifetime should be longer than the IPsec key lifetime? There is an example which uses 3h/1h, but there is no statement that this either SHOULD or MUST be this way.
Comment 2 Tom Rymes 2013-04-06 06:10:23 UTC 
That page in particular does not mention should or must, but the others linked in the forum thread do. Things will work properly using the defaults, but it is far from a sensible setup.

The basic mechanisms in IPSec imply that specifying a phase 2 key lifetime greater than the phase 1 lifetime is pointless. Because the Phase 2 key is dependant on the phase 1 key, even though we specify a lifetime of 8 hours for phase 2, it will get rekeyed every hour when the IKE is renegotiated, so its lifetime will effectively be 1 hour, even if we have specified 8.

My understanding, after having read the linked information, plus after having watched my tunnels' activity after changing my settings, is that the IKE SA is intended to be established and remain up for some period of time. Then, the child SA (Phase 2) is intended to be brought up and rekeyed multiple times while the IKE is active.

Things will continue to function if the defaults are left as-is, but it seems to be far from an ideal solution.

Links from the forum post:

O'Reilly: http://www.onlamp.com/pub/a/bsd/2002/12/12/FreeBSD_Basics.html?page=2
Junpier: http://forums.juniper.net/t5/SRX-Services-Gateway/IKE-life-time-VS-IPSEC-life-time/td-p/140937
Amaranten: http://www.amaranten.com/support/user%20guide/VPN/IPSec_Basics/Overview.htm
NIST: http://csrc.nist.gov/publications/nistpubs/800-77/sp800-77.pdf