From mboxrd@z Thu Jan 1 00:00:00 1970 From: Wolfgang Apolinarski To: development@lists.ipfire.org Subject: IPsec default to rekey=no - tests Date: Fri, 05 Jun 2015 15:55:34 +0200 Message-ID: <000c01d09f97$4b484550$e1d8cff0$@apolinarski.de> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2324095819084710589==" List-Id: --===============2324095819084710589== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Hi! I performed some tests with ipfire and the Windows VPN client (for the rekey=no issue). I usually use short-time VPN connections (<3 hours), so I did not recognize any problems. During the tests, I did not find any configuration that allowed me a stable VPN connection, all connections drop after 3-4 hours (IKE re-negotiation, CHILD_SA re-negotiation works fine). The problem could also be located in one of the used routers... If you have any suggestion on what configuration I should test as well, please let me know. My default configuration (1st try): conn WinAndroidVPN left=%defaultroute leftsubnet=0.0.0.0/0 leftfirewall=yes lefthostaccess=yes leftallowany=yes leftcert=/var/ipfire/certs/hostcert.pem ike=aes256-sha1-modp1024! esp=aes256-sha1! right=%any keyexchange=ikev2 compress=yes dpdaction=clear dpddelay=30s auto=add rightsourceip=%dhcp ikelifetime=4h lifetime=2h keylife=8h rightcert=/var/ipfire/certs/WinAndroidVPNcert.pem The protocol for this config is located here: http://pastebin.com/iXjjp71R 2nd try changes: ikelifetime=4h lifetime=90m The protocol for the 2nd config is located here: http://pastebin.com/xyarBvub 3rd try changes: rekey=no ikelifetime=4h lifetime=2h The protocol for the 3rd config is located here: http://pastebin.com/jmPNzxUX So, sorry, I was not able to find a stable connection and have no suggestion on how to change the default config such that a stable connection with Windows 7/8.1 is possible. Best regards, Wolfgang --===============2324095819084710589==--