IPSec rekey interval?

kmansoft · Thu Feb 14, 2019 12:11 pm

Hello,

I'm using an AC2 as an IPSec (GRE) clinet, IKEv2 + cert auth.

The AC2 performs a rekey every 30 minutes. Is there a setting for this, to make it a longer interval?

Server logs:

Feb 14 12:50:37 charon-systemd[8478]: parsed CREATE_CHILD_SA request 111 [ No KE N(REKEY_SA) SA TSi TSr N(USE_TRANSP) ]
Feb 14 12:50:39 charon-systemd[8478]: closing CHILD_SA gre{50} with SPIs cab30e29_i (16826 bytes) 0db26864_o (115806 bytes) and TS 139.0.0.1/32[gre] === 89.0.0.1/32[gre]
Feb 14 12:50:39 charon-systemd[8478]: sending DELETE for ESP CHILD_SA with SPI cab30e29
Feb 14 12:50:39 charon-systemd[8478]: CHILD_SA closed
Feb 14 12:50:39 charon-systemd[8478]: outbound CHILD_SA gre{51} established with SPIs cee330f7_i 0eed0719_o and TS 139.0.0.1/32[gre] === 89.0.0.1/32[gre]

Thu Feb 14, 2019 12:19 pm

lifetime in ipsec proposal

kmansoft · Thu Feb 14, 2019 12:26 pm

lifetime in ipsec proposal

Sorry don't think this is it

- Lifetime is set to "1d 00:00:00" (the default)
- I believe lifetime does a full reconnect - I'm asking about rekey

It just rekeyed again.

Rekey interval on server is much larger

  gre: #52, reqid 13, INSTALLED, TRANSPORT, ESP:AES_CBC-128/HMAC_SHA2_256_128/ECP_256
    installed 835s ago, rekeying in 2464s, expires in 3125s

And I believe the first line below from server logs shows that the request to rekey comes from the client (Mikrotik AC2)

Feb 14 13:14:46 charon-systemd[8478]: parsed CREATE_CHILD_SA request 125 [ No KE N(REKEY_SA) SA TSi TSr N(USE_TRANSP) ]
Feb 14 13:14:46 charon-systemd[8478]: selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/ECP_256/NO_EXT_SEQ
Feb 14 13:14:46 charon-systemd[8478]: inbound CHILD_SA gre{52} established with SPIs c3951b14_i 0977cadb_o and TS 139.0.0.1/32[gre] === 89.0.0.1/32[gre]
Feb 14 13:14:46 charon-systemd[8478]: generating CREATE_CHILD_SA response 125 [ N(USE_TRANSP) SA No KE TSi TSr ]
Feb 14 13:14:46 charon-systemd[8478]: sending packet: from 139.0.0.1[4500] to 89.0.0.1[4500] (288 bytes)
Feb 14 13:14:53 charon-systemd[8478]: received packet: from 89.0.0.1[4500] to 139.0.0.1[4500] (288 bytes)
Feb 14 13:14:53 charon-systemd[8478]: parsed INFORMATIONAL request 126 [ D ]
Feb 14 13:14:53 charon-systemd[8478]: received DELETE for ESP CHILD_SA with SPI 0eed0719
Feb 14 13:14:53 charon-systemd[8478]: closing CHILD_SA gre{51} with SPIs cee330f7_i (25151 bytes) 0eed0719_o (173769 bytes) and TS 139.0.0.1/32[gre] === 89.0.0.1/32[gre]
Feb 14 13:14:53 charon-systemd[8478]: sending DELETE for ESP CHILD_SA with SPI cee330f7
Feb 14 13:14:53 charon-systemd[8478]: CHILD_SA closed
Feb 14 13:14:53 charon-systemd[8478]: outbound CHILD_SA gre{52} established with SPIs c3951b14_i 0977cadb_o and TS 139.0.0.1/32[gre] === 89.0.0.1/32[gre]

emils · Thu Feb 14, 2019 1:00 pm

Default is 30 minutes:

/ip ipsec proposal print 
Flags: X - disabled, * - default 
 0  * name="default" auth-algorithms=sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m pfs-group=modp1024

kmansoft · Thu Feb 14, 2019 1:25 pm

Thank you @emils

Yes lifetime in *proposal* not in *profile*

Now I see 30 minutes too.

> /ip ipsec proposal print
Flags: X - disabled, * - default 
 0  * name="default" auth-algorithms=sha256 enc-algorithms=aes-128-cbc lifetime=30m pfs-group=ecp256

IPSec rekey interval? [SOLVED]

IPSec rekey interval?

Re: IPSec rekey interval?

Re: IPSec rekey interval?

Re: IPSec rekey interval? [SOLVED]

Re: IPSec rekey interval?

Who is online