From mboxrd@z Thu Jan 1 00:00:00 1970 From: Larsen To: development@lists.ipfire.org Subject: Re: IPsec: Default to rekey=no Date: Tue, 19 May 2015 17:56:58 +0200 Message-ID: In-Reply-To: <1432050352.16602.54.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5304525400360426280==" List-Id: --===============5304525400360426280== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable If I understand it corretly, adding "rekey=3Dno" only disables the server =20 trying to rekey, so this is left to the client and should not be a =20 security problem therefore. If this is not added, clients behind a NAT will experience an interruption =20 in their vpn connection. I think this depends on the lifetime of something =20 (ikelifetime? keylifetime?). Anyhow, as long as the server tries to rekey, =20 the connection will be disturbed. In the end, the user might not use IPsec anymore because of that. Lars On Tue, 19 May 2015 17:45:52 +0200, Michael Tremer =20 wrote: > Hi, > > obviously we cannot make this as a default option for anything. The > rekeying is a very important process in the security of a VPN. Without > that brute-force attacks are getting much more feasible and if they > succeed all the data that has been transferred in this session can be > decrypted afterwards. > > The link that you provided does at no point say that disabling rekeying > is a recommended strategy to do that. It just points out some issues and > incompatibilities with the Windows client. > > I CCed Wolfgang Apolinarski who recently worked on this whole matter. He > seems to use the rekey=3Dno option, too. Maybe he can contribute some > insight why this is needed from his point of view. > > Best, > -Michael > > On Tue, 2015-05-19 at 17:19 +0200, Larsen wrote: >> Hi, >> >> we noticed interruptions with our IPsec roadwarrriors. The problem =20 >> turned >> out to be caused by the server trying to rekey with the client that is >> sitting behind a NAT (Windows 7 client at colleague's home). See >> https://wiki.strongswan.org/projects/strongswan/wiki/Windows7#Rekeying-beh= avior >> >> This was solved by adding "rekey=3Dno" to "/etc/ipsec.user.conf" for each >> connection. >> I wonder if this should be added by IPFire by default as I guess that =20 >> all >> roadwarriors behind a NAT (probably the majority) might have this =20 >> problem. >> >> So, adding >> print CONF "\trekey=3Dno\n"; >> to >> /srv/web/ipfire/cgi-bin/vpnmain.cgi >> >> >> Lars >> _______________________________________________ >> Development mailing list >> Development(a)lists.ipfire.org >> http://lists.ipfire.org/mailman/listinfo/development --===============5304525400360426280==--