From mboxrd@z Thu Jan 1 00:00:00 1970 From: Wolfgang Apolinarski <wolfgang@apolinarski.de> To: development@lists.ipfire.org Subject: IPsec: Default to rekey=no Date: Wed, 20 May 2015 10:54:56 +0200 Message-ID: <002d01d092da$a57505a0$f05f10e0$@apolinarski.de> In-Reply-To: <1432051561.16602.65.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6908802582266448986==" List-Id: <development.lists.ipfire.org> --===============6908802582266448986== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Hi! I first want to say that I do not like the standard configuration of ipsec in ipfire, because I am mainly using Windows and Android clients (phone/PC) and the standard configs just do not work with that. This is why I added some configuration templates to the ipfire wiki (which are mostly taken from the Strongswan docu with some added information specific to ipfire). When rekey is set to no, the server does not initiate any rekey, which is mandatory for Windows, because Windows does not like the server to take the initiative. Windows clients are initiating the rekey every 58-59 minutes (according to the strongswan docu, I did not check that in the logs). There is (at least one) other alternatives than rekey=no: Set the lifetime of the child SA to something like 90 minutes. Then Windows clients initiate the rekey after 58-59 minutes and rekey can be set to yes. One could also set rekey=no, but fix the lifetime of the CHILD_SA. The CHILD_SA is then thrown away and the client needs to rekey (and apparently does so). If I understand the strongswan docu [1] correctly, the default is set to 1h (attention to the margin!) and should also be used when rekey=no. So rekey=no is a safe setting, security wise (someone should test this behavior, though). If connecting two ipfire devices via ipsec is one of the user scenarios that should be supported, a default setting of rekey=no might not make sense since both ipfire devices would not rekey, i.e., the connection would be dropped. A longer CHILD_SA lifetime could be an alternative. What is on my whish list: An option menu when creating a new ipsec vpn connection that offers specific configurations (Windows 7 (X.509 Machine Auth), Windows Phone (X.509 User Auth over EAP-TLS), Android (IKEV1, X.509, xauth)). I did not add this, because of a) time and b) my weird configuration that uses the ipfire DHCP and ends the tunnel directly in the green network (which - from what I understood while reading the old documentation - is not the normal configuration). > On Tue, 19 May 2015 18:06:06 +0200, Michael Tremer > <michael.tremer(a)ipfire.org> wrote: (...) > IPsec has always had these woes. That is the main reason why those awful > SSL VPN solutions exist. Yes! :-) Cheers, Wolfgang [1] https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey --===============6908802582266448986== Content-Type: application/pkcs7-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIME-Version: 1.0 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIVVzCCBjQw ggQcoAMCAQICAR4wDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAn BgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAyNDIxMDE1NVoX DTE3MTAyNDIxMDE1NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSsw KQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFy dENvbSBDbGFzcyAxIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAMcJg8zOLdgasSmkLhOrlr6KMoOMpohBllVHrdRvEg/q6r8jR+EK 75xCGhR8ToREoqe7zM9/UnC6TS2y9UKTpT1v7RSMzR0t6ndl0TWBuUr/UXBhPk+Kmy7bI4yW4urC +y7P3/1/X7U8ocb8VpH/Clt+4iq7nirMcNh6qJR+xjOhV+VHzQMALuGYn5KZmc1NbJQYclsGkDxD z2UbFqE2+6vIZoL+jb9x4Pa5gNf1TwSDkOkikZB1xtB4ZqtXThaABSONdfmv/Z1pua3FYxnCFmdr /+N2JLKutIxMYqQOJebr/f/h5t95m4JgrM3Y/w7YX9d7YAL9jvN4SydHsU6n65cCAwEAAaOCAa0w ggGpMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRTcu2SnODaywFc fH6WNU7y1LhRgjAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRa MFgwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYh aHR0cDovL3d3dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6 Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5j b20vc2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0 dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cu c3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQEFBQADggIBAAqDCH14qywG XLhjjF6uHLkjd02hcdh9hrw+VUsv+q1eeQWB21jWj3kJ96AUlPCoEGZ/ynJNScWy6QMVQjbbMXlt UfO4n4bGGdKo3awPWp61tjAFgraLJgDk+DsSvUD6EowjMTNx25GQgyYJ5RPIzKKR9tQW8gGK+2+R HxkUCTbYFnL6kl8Ch507rUdPPipJ9CgJFws3kDS3gOS5WFMxcjO5DwKfKSETEPrHh7p5shuuNktv sv6hxHTLhiMKX893gxdT3XLS9OKmCv87vkINQcNEcIIoFWbP9HORz9v3vQwR4e3ksLc2JZOAFK+s sS5XMEoznzpihEP0PLc4dCBYjbvSD7kxgDwZ+Aj8Q9PkbvE9sIPP7ON0fz095HdThKjiVJe6vofq +n6b1NBc8XdrQvBmunwxD5nvtTW4vtN6VY7mUCmxsCieuoBJ9OlqmsVWQvifIYf40dJPZkk9YgGT zWLpXDSfLSplbY2LL9C9U0ptvjcDjefLTvqSFc7tw1sEhF0n/qpA2r0GpvkLRDmcSwVyPvmjFBGq Up/pNy8ZuPGQmHwFi2/14+xeSUDG2bwnsYJQG2EdJCB6luQ57GEnTA/yKZSTKI8dDQa8Sd3zfXb1 9mOgSF0bBdXbuKhEpuP9wirslFe6fQ1t5j5R0xi72MZ8ikMu1RQZKCyDbMwazlHiMIIHTjCCBjag AwIBAgIDCtImMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRD b20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYG A1UEAxMvU3RhcnRDb20gQ2xhc3MgMSBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0EwHhcN MTQwODEyMTkwNDUzWhcNMTUwODE0MDIwNjEwWjBlMRkwFwYDVQQNExB3cGtUSDZkSEU3MDNXRDM3 MSAwHgYDVQQDDBd3b2xmZ2FuZ0BhcG9saW5hcnNraS5kZTEmMCQGCSqGSIb3DQEJARYXd29sZmdh bmdAYXBvbGluYXJza2kuZGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC89p6GOGe3 pQwYeL8jpBT06TLHlxdQboQQZVkDNyXcxWINrbesDhdcnthcwkw+FofNKFCcmtzDpHxnS3+tu4lK mjYtzmtBL2AI2BRDYog5tu6DsTp+1AWnakuC7cjjcwCLe5dvwoUTZX+uSSMyXnpXwcFeGcI9FdIH yN/2SiHFNMVxFlikbZW01wMIHGr303XLpYe/gscGiX+iHuYBP1/4EeQnZUzonyriVlqy7px/ln6/ 5+yHVsplB1tYvBQuG+UcMfLmiEtJ5r7gpGnS2ek3/pY5VJlBLGpdIEeU/2CqqW6qhuNq+5Z4NWFM +MpPLB6JeC+XAL43RWQ7Bgwop94u8GXzFt1ERneUJzxzO/sd7kMcabndemgoIRvFdPCcrqkB5RCn 2IRR1iXbzivYCsLRGJRvTdoQlegcCG/qcfET6DPJ/FCBtthHw5qmV1tvOBPTxnd9GawJnJLOfHSr Qr8TkKnmV3Ux/bz0CUYCExDjzNJ+0OCrgUmxNqXCJNH5OnwOl0AxLtpHsrM+EaC8gWQQj78yuGUP uo+zCdtcBxrIzkPAIcGqpVQMq6R5J26bPo/g6vg1HrzJu4wi31aIJOsQc705KuO5TC1m4COpoa5b xB24U2Gpla5sUulcHZQFuqPkSbaj7DVoeSXYEPYTapEzVN70YrC1zBzpRMdxvrd+UQIDAQABo4IC 3TCCAtkwCQYDVR0TBAIwADALBgNVHQ8EBAMCBLAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUF BwMEMB0GA1UdDgQWBBQMTOqyu6I05vQhSXufFrV7efE3XjAfBgNVHSMEGDAWgBRTcu2SnODaywFc fH6WNU7y1LhRgjAiBgNVHREEGzAZgRd3b2xmZ2FuZ0BhcG9saW5hcnNraS5kZTCCAUwGA1UdIASC AUMwggE/MIIBOwYLKwYBBAGBtTcBAgMwggEqMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0 c3NsLmNvbS9wb2xpY3kucGRmMIH3BggrBgEFBQcCAjCB6jAnFiBTdGFydENvbSBDZXJ0aWZpY2F0 aW9uIEF1dGhvcml0eTADAgEBGoG+VGhpcyBjZXJ0aWZpY2F0ZSB3YXMgaXNzdWVkIGFjY29yZGlu ZyB0byB0aGUgQ2xhc3MgMSBWYWxpZGF0aW9uIHJlcXVpcmVtZW50cyBvZiB0aGUgU3RhcnRDb20g Q0EgcG9saWN5LCByZWxpYW5jZSBvbmx5IGZvciB0aGUgaW50ZW5kZWQgcHVycG9zZSBpbiBjb21w bGlhbmNlIG9mIHRoZSByZWx5aW5nIHBhcnR5IG9ibGlnYXRpb25zLjA2BgNVHR8ELzAtMCugKaAn hiVodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9jcnR1MS1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/ MDkGCCsGAQUFBzABhi1odHRwOi8vb2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMS9jbGllbnQv Y2EwQgYIKwYBBQUHMAKGNmh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczEu Y2xpZW50LmNhLmNydDAjBgNVHRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZI hvcNAQEFBQADggEBAHkZHL8CQTG2p0T/Fx3qXNc94tlV4YUHCMlgOalqpctGH7IhIkbWNPQP66KV +5VgBFEyDEm++W14HZpQfXSRdVvGUJjE7WmxizGxHwND9QAzk3txbyI5BmgfiuKpDG3/FUHJ0Zsk LLdiu0s6bIQ0LOxxpTKcCIYMQXkuOzNTPXXt5XR88SfL/rRcSwqMHOTEys6BlUEU9LTYyH9R9pgq 3ZQq80LYIDwbce8ggutxvUppXgXuR72ezBYj/0McyHHS85NdDzxezwAMnHWXcJ6XMkxdYh/1F3I0 Q5K6Ed1JA/LwXhSJbS9ZdF6OLZ9NPoe6ZmH13FpmGN7oYLonE2kPw38wggfJMIIFsaADAgECAgEB MA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSsw KQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMSkwJwYDVQQDEyBTdGFy dENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNjA5MTcxOTQ2MzZaFw0zNjA5MTcxOTQ2 MzZaMH0xCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1 cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMSkwJwYDVQQDEyBTdGFydENvbSBDZXJ0aWZp Y2F0aW9uIEF1dGhvcml0eTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMGI2wm8bEZ8 eJ+Ve7UzkPJyYtbBNiAiJF7O6XfyQwqiBmSkzI42+DjmI/BubbE83XKjhRyh0z20MyvTL6/+6rBB WWe2xAZ9Cp50hdZ5TIA3et85BVJZ9/QbRkOk0oWF0sNx83ViNLosin8ej+7tNNARx5bNUj26M9bd Td4LO0pLn8ImL/q1FhxyNXfKPF3myuEmixo2dlwB23QUJf7ttaCID914yi0fB5cwAS1yefpG1hMq qLmmq4NJHeXy793kAY4YCo9jUxaFYqkOGTrMtWamwmt0B+Qr4XY+tG3Y9kThc2IfO8S+oFNWJWxR Cfeqq8q/dv1tm/Od2789ZrwMVqqvmEiVOkvfp1hQ2Th1qVvqQwwC/5nr6GxNcFspZZzdql3MrwEx 7Azr0o3o6px75m73J2YMGkjXbkLjP94hPnvhDXD7Y6qobBpUtFwlesmiyYsWprssfhdeBU1YbhId Ae4SEA3GMn8Y//z0+s1ukeg2Sb4aSGmLwpZNGhKyaRfBCpDW+nkiSL+6e2n4cMf6ejfY2A3Sdk9X /5C345HS3e/CYLdnOt3+qpzw1It/ciLOxp+XtviviqAQqNn7GMa2tVxSPIm2GSpzAQoPA7MSYPJ6 L4Hbo27/JjCX9YvdiVe2rT2zryvFt3YC8KXWK5qGFCpy9uMzjF0JSxPfu4x0E1JLAgMBAAGjggJS MIICTjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBrjAdBgNVHQ4EFgQUTgvvGqRAW6UXaYcwyjRo Q9BBrvIwZAYDVR0fBF0wWzAsoCqgKIYmaHR0cDovL2NlcnQuc3RhcnRjb20ub3JnL3Nmc2NhLWNy bC5jcmwwK6ApoCeGJWh0dHA6Ly9jcmwuc3RhcnRjb20ub3JnL3Nmc2NhLWNybC5jcmwwggFdBgNV HSAEggFUMIIBUDCCAUwGCysGAQQBgbU3AQEBMIIBOzAvBggrBgEFBQcCARYjaHR0cDovL2NlcnQu c3RhcnRjb20ub3JnL3BvbGljeS5wZGYwNQYIKwYBBQUHAgEWKWh0dHA6Ly9jZXJ0LnN0YXJ0Y29t Lm9yZy9pbnRlcm1lZGlhdGUucGRmMIHQBggrBgEFBQcCAjCBwzAnFiBTdGFydCBDb21tZXJjaWFs IChTdGFydENvbSkgTHRkLjADAgEBGoGXTGltaXRlZCBMaWFiaWxpdHksIHJlYWQgdGhlIHNlY3Rp b24gKkxlZ2FsIExpbWl0YXRpb25zKiBvZiB0aGUgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRo b3JpdHkgUG9saWN5IGF2YWlsYWJsZSBhdCBodHRwOi8vY2VydC5zdGFydGNvbS5vcmcvcG9saWN5 LnBkZjARBglghkgBhvhCAQEEBAMCAAcwOAYJYIZIAYb4QgENBCsWKVN0YXJ0Q29tIEZyZWUgU1NM IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MA0GCSqGSIb3DQEBBQUAA4ICAQAWbJn0Zgw09dCFXn0K 7NoQTjgcXt+mJQVLkTLB6DvxPd1ECVsHSYopy2YCt7Ga9yWYCTyOG+HdNocrS7to0zlmPaAmx/I5 kR1Rq4J7ftXOWuTiA1dwaZcI+V5YpgrfjAaaRRYWOApeV/Zix3oCBea8HrXynvSpKYP4shTjbiiH RMOQGt44qTysQ01kRc7dKKlc8nN7BPgX6Kux8y5cZG5zMToSuLyzEeR9j4FRmjuNifRNk2Z7PAPt 05odmvNlUPWg0HWfL6/w6oJDmPhpnIl5xEOORnLjZDYSr/clHjiJkHd+w2tqucPLREuseJCL58cs HksRRMg0UifNCl2fhcGJ1Rp48pUQUzLdgIRmddm1aCj7YS6+hKg4wJkShqUeZ2StBi4vqXCFx5YP fIll9Y5DVA6r3aWAOZRgwDTJlnAsoxL1H0h7vRx+a7edkPQiO674/CrK+oJSoO+vS1WT68G18CKL rDROJiIEoYcsdUq35X0T17gMZMA20skvhhKMIwnBG4I7c0mjaleHlOXWeMWZQ2PjTeB3LeFlmXJp BBpHCeYPAVYk+x+/DnmpWC65xAkBfpW6bQAGPrLqShA52NAr9b/sdb+XAsUJGwjcVTfigfs3hENi IMrnVktl6v5swSSTJKE06wX/miKum30/8WVRCqYwarP0iByADfxyiuiDXjGCBR0wggUZAgEBMIGU MIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJl IERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMSBQ cmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAwrSJjAJBgUrDgMCGgUAoIICXTAYBgkqhkiG 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNTA1MjAwODU0NTZaMCMGCSqGSIb3 DQEJBDEWBBQxCGSP8vLBCAiJCR2u3pOJ04IlaTCBpQYJKwYBBAGCNxAEMYGXMIGUMIGMMQswCQYD VQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg Q2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMSBQcmltYXJ5IElu dGVybWVkaWF0ZSBDbGllbnQgQ0ECAwrSJjCBpwYLKoZIhvcNAQkQAgsxgZeggZQwgYwxCzAJBgNV BAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBD ZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAxIFByaW1hcnkgSW50 ZXJtZWRpYXRlIENsaWVudCBDQQIDCtImMIGrBgkqhkiG9w0BCQ8xgZ0wgZowCwYJYIZIAWUDBAEq MAsGCWCGSAFlAwQBFjAKBggqhkiG9w0DBzALBglghkgBZQMEAQIwDgYIKoZIhvcNAwICAgCAMAcG BSsOAwIHMA0GCCqGSIb3DQMCAgFAMA0GCCqGSIb3DQMCAgEoMAcGBSsOAwIaMAsGCWCGSAFlAwQC AzALBglghkgBZQMEAgIwCwYJYIZIAWUDBAIBMA0GCSqGSIb3DQEBAQUABIICAGqXGJOCXLMcu9VV ucfj6+RcPH5MbNHoHf10irah8jlz2/ZGRE41n8XwHJvQ1YXVJxW0+M5FUTi8QlBVv7Sr4x88U+3P v26cn60qivCoVcE+xcXc4qJE1hKT4CI8UUcbN/Tc6p1ce1lahesMAQCYf8u9fgVJFaAyDPxigCud 6pCf5sJzbeva7wPmMB6xzq5WL4as+o0Y0bqJLIt1Dk5Q61jMLz99c+ZiqM+bU039O6KN5QMhkhjT QJnLKPz7KOROsJlt1BaBxy9NPx2rdGeXWsvveI/wjQRBU4S06gSNNJAMW27LoLL0V7gu9k66zNzw WXDGnSprqMbbS5ZXa0hDLU1ldVzLaqF36zpZCOSxqjxEMtDVFNr+54QhagE519cPQXt6+7kQXkT3 OVUBpJYbCqj9PyMYKRPaxH7Fr0YarySNDrJY/cl6ywmvNfDwi9bP+0rAMBNoP6NxN9WcnF6yprD6 aSml02jbthtDb7eKcCZ9mEPl3zNCG7LPaCy3NwgZizVG67Yb3PxnXZrwr6d17glIfkWmNYlnD+E1 vbv69a9M7O7wGx+d9ULF1pB6jcBAjBsoZnk2M+AV/Jxtg7y7c3pWbA9tlmCoN0j+GYovox/AjZvq DDjvad1xMON+mKvvJSRB1aH6ocjj3vH41gVL+J4lnpvLg8q4v84o5J15bl/yAAAAAAAA --===============6908802582266448986==--