Bug 10346 - IPSec GUI defaults are incorrect.
Summary: IPSec GUI defaults are incorrect.
Status: CLOSED FIXED
Alias: None
Product: IPFire
Classification: Unclassified
Component: --- (show other bugs)
Version: 2
Hardware: unspecified Unspecified
: - Unknown - - Unknown -
Assignee: Assigned to nobody - feel free to grab it and work on it
QA Contact:
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-03-31 15:21 UTC by Tom Rymes
Modified: 2013-07-04 12:33 UTC (History)
3 users (show)

See Also:
michael.tremer: needinfo+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tom Rymes 2013-03-31 15:21:25 UTC
This is a continuation of items discussed on the forum: http://forum.ipfire.org/index.php?topic=7955.0

Based on the data linked in the forum thread, including the StrongSwan Wiki (http://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey), it appears that the IKE Phase 1 key lifetime should be longer than the Phase 2 key lifetime. 

However, the default settings in the GUI are the opposite: the phase 1 default lifetime is 1 hour, and phase 2 default is 8 hours.
Comment 1 Michael Tremer 2013-04-05 11:31:57 UTC
Where does that wiki page state that the IKE key lifetime should be longer than the IPsec key lifetime? There is an example which uses 3h/1h, but there is no statement that this either SHOULD or MUST be this way.
Comment 2 Tom Rymes 2013-04-06 06:10:23 UTC
That page in particular does not mention should or must, but the others linked in the forum thread do. Things will work properly using the defaults, but it is far from a sensible setup.

The basic mechanisms in IPSec imply that specifying a phase 2 key lifetime greater than the phase 1 lifetime is pointless. Because the Phase 2 key is dependant on the phase 1 key, even though we specify a lifetime of 8 hours for phase 2, it will get rekeyed every hour when the IKE is renegotiated, so its lifetime will effectively be 1 hour, even if we have specified 8.

My understanding, after having read the linked information, plus after having watched my tunnels' activity after changing my settings, is that the IKE SA is intended to be established and remain up for some period of time. Then, the child SA (Phase 2) is intended to be brought up and rekeyed multiple times while the IKE is active.

Things will continue to function if the defaults are left as-is, but it seems to be far from an ideal solution.

Links from the forum post:

O'Reilly: http://www.onlamp.com/pub/a/bsd/2002/12/12/FreeBSD_Basics.html?page=2
Junpier: http://forums.juniper.net/t5/SRX-Services-Gateway/IKE-life-time-VS-IPSEC-life-time/td-p/140937
Amaranten: http://www.amaranten.com/support/user%20guide/VPN/IPSec_Basics/Overview.htm
NIST: http://csrc.nist.gov/publications/nistpubs/800-77/sp800-77.pdf