From: Wolfgang Apolinarski <wolfgang@apolinarski.de>
To: development@lists.ipfire.org
Subject: IPsec: Default to rekey=no
Date: Wed, 20 May 2015 10:54:56 +0200 [thread overview]
Message-ID: <002d01d092da$a57505a0$f05f10e0$@apolinarski.de> (raw)
In-Reply-To: <1432051561.16602.65.camel@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 2331 bytes --]
Hi!
I first want to say that I do not like the standard configuration of ipsec in
ipfire, because I am mainly using Windows and Android clients (phone/PC) and
the standard configs just do not work with that. This is why I added some
configuration templates to the ipfire wiki (which are mostly taken from the
Strongswan docu with some added information specific to ipfire).
When rekey is set to no, the server does not initiate any rekey, which is
mandatory for Windows, because Windows does not like the server to take the
initiative. Windows clients are initiating the rekey every 58-59 minutes
(according to the strongswan docu, I did not check that in the logs).
There is (at least one) other alternatives than rekey=no:
Set the lifetime of the child SA to something like 90 minutes. Then Windows
clients initiate the rekey after 58-59 minutes and rekey can be set to yes.
One could also set rekey=no, but fix the lifetime of the CHILD_SA. The
CHILD_SA is then thrown away and the client needs to rekey (and apparently
does so). If I understand the strongswan docu [1] correctly, the default is
set to 1h (attention to the margin!) and should also be used when rekey=no. So
rekey=no is a safe setting, security wise (someone should test this behavior,
though).
If connecting two ipfire devices via ipsec is one of the user scenarios that
should be supported, a default setting of rekey=no might not make sense since
both ipfire devices would not rekey, i.e., the connection would be dropped. A
longer CHILD_SA lifetime could be an alternative.
What is on my whish list:
An option menu when creating a new ipsec vpn connection that offers specific
configurations (Windows 7 (X.509 Machine Auth), Windows Phone (X.509 User Auth
over EAP-TLS), Android (IKEV1, X.509, xauth)).
I did not add this, because of a) time and b) my weird configuration that uses
the ipfire DHCP and ends the tunnel directly in the green network (which -
from what I understood while reading the old documentation - is not the normal
configuration).
> On Tue, 19 May 2015 18:06:06 +0200, Michael Tremer
> <michael.tremer(a)ipfire.org> wrote:
(...)
> IPsec has always had these woes. That is the main reason why those awful
> SSL VPN solutions exist.
Yes! :-)
Cheers,
Wolfgang
[1] https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey
[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 6834 bytes --]
prev parent reply other threads:[~2015-05-20 8:54 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-19 15:19 Larsen
2015-05-19 15:45 ` Michael Tremer
2015-05-19 15:56 ` Larsen
2015-05-19 16:06 ` Michael Tremer
2015-05-20 8:54 ` Wolfgang Apolinarski [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='002d01d092da$a57505a0$f05f10e0$@apolinarski.de' \
--to=wolfgang@apolinarski.de \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox