Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Mobile IKEv2 Child SA Rekeying Issue on Windows 7

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L Offline
      ltctech
      last edited by

      We have a mobile IKEv2 Windows 7 client that is dropping the connection roughly every 45min-75min. I saw it exactly when the rekey timer on pfsense expired.

      This is apparently because Windows 7 does not support rekeying initiated by the gateway, though it does rekey every 58 minutes and 46 seconds.:
      https://wiki.strongswan.org/projects/strongswan/wiki/Windows7#CHILD_SA-rekeying

      StrongSwan by default has a 9 minute rekeying margin with a random fuzz factor that can double it for when it decides to rekey. In result, StrongSwan may try to rekey within 42 minutes if the lifetime is an hour. Thus breaking the connection.:
      https://wiki.strongswan.org/projects/strongswan/wiki/Windows7#CHILD_SA-rekeying

      It seems that I can check "Disable rekey" in the phase 1 settings. I'm just wondering if there will be any ill effects as a result especially with other operating systems (iOS, macOS, Win 8.1, Win 10).

      The safer alternative may be to simply raise the child SA lifetime to 2 hours. Going to try that for now.

      1 Reply Last reply Reply Quote 0
      • L Offline
        ltctech
        last edited by

        Seems that upping the lifetime to two hours simply made it drop less often. I set it back to one hour and disabled rekeying as a test.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.