From mboxrd@z Thu Jan  1 00:00:00 1970
From: Larsen <larsen007@web.de>
To: development@lists.ipfire.org
Subject: IPsec: Default to rekey=no
Date: Tue, 19 May 2015 17:19:31 +0200
Message-ID: <op.xyv16t1gcahio0@atl-uetersen.atlantisgmbh.local>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2254273874373000210=="
List-Id: <development.lists.ipfire.org>

--===============2254273874373000210==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi,

we noticed interruptions with our IPsec roadwarrriors. The problem turned =20
out to be caused by the server trying to rekey with the client that is =20
sitting behind a NAT (Windows 7 client at colleague's home). See =20
https://wiki.strongswan.org/projects/strongswan/wiki/Windows7#Rekeying-behavi=
or

This was solved by adding "rekey=3Dno" to "/etc/ipsec.user.conf" for each =20
connection.
I wonder if this should be added by IPFire by default as I guess that all =20
roadwarriors behind a NAT (probably the majority) might have this problem.

So, adding
     print CONF "\trekey=3Dno\n";
to
     /srv/web/ipfire/cgi-bin/vpnmain.cgi


Lars

--===============2254273874373000210==--