Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec Timeout / Rekeying

    IPsec
    2
    4
    6.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      vitafit
      last edited by

      Hi together,

      i am having trouble understanding the IPSec-Timeouts and Reauth/Rekeying phases. Let me explain: In my pfSense i have a few VPN tunnel (Side2Side) connected to several different LANCOM routers. On my LANCOM routers i can see that the tunnel was established for example 12 hours ago. The same tunnel on the other hand is described as "established 2 hours ago" for example. So there is always a difference between the connection-times.

      I am afraid this could result in connection-issues from time to time. I tried to Disable the Rekey in Phase 1 without success. It had no influence on how long the tunnel stays connected (regarding to pfSense-IPSec Status). Btw. i noticed that the Reauth-Time is counting-down…

      Any ideas on this? What i would like to have in the end is a stable IPSec-tunnel which has as few as disconnects as possible because VoIP is going to be processed over this connection. Even if this might mean security is beeing reduced without rekeying (if possible).

      Thanks.

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        Don't disable rekey.

        Where you have differing times, it might be because you're looking at the IKE SA on one and the IPsec SA on the other. Might be indicative of a lifetime mismatch or other problem as well.

        Are you having any actual problems, or just afraid you might?

        1 Reply Last reply Reply Quote 0
        • V
          vitafit
          last edited by

          @cmb:

          Don't disable rekey.

          Where you have differing times, it might be because you're looking at the IKE SA on one and the IPsec SA on the other. Might be indicative of a lifetime mismatch or other problem as well.

          Are you having any actual problems, or just afraid you might?

          I am afraid that i might have issues - in general i compared the lifetime it's identical on both sides. In order to get more information i setup a syslog-server. What would a disconnect message look like in order to see if there are actual issues?

          So about the lifetime which is currently 28800 sec (equals 8 hours) - is the following conclusion right: After this timeout is reached rekeying is happening. Rekeying takes place in phase 1 which will lead to a short disconnect right?

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            Rekeying should not result in any drop in connectivity, as it should complete before expiration and then replace. Leave a constant ping running for around 48 hours and verify you don't have any excessive loss (sub-0.5% assuming a reliable Internet connection). If that checks out, you're fine.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.