There is no need for the IKE and IPsec lifetimes to be the same at both ends. Rekeying is initiated shortly before the negotiated lifetime expires, usually after the shorter of the two routers’ lifetimes. However, under certain circumstances the connection may be lost during rekeying. If this is the case, it may be worthwhile to increase the lifetimes so that disconnections occur less often. This does require the lifetimes on both routers to have the same or at least a very similar values.
For security reasons, the lifetimes should not be too long, otherwise the keys could be compromised. Equally, the lifetimes should not be too short in order to avoid frequent and time-consuming rekeying.
This article describes how to adjust the IKEv1 lifetimes on a LANCOM R&S®Unified Firewall.
- LANCOM R&S®Unified Firewall as of LCOS FX 10.4
- A configured and functional IKEv1 VPN connection
- Information about the lifetimes must be available or freely selectable at both ends
- Web browser for configuring the Unified Firewall
The following browsers are supported:- Google Chrome
- Chromium
- Mozilla Firefox
1) Adjusting the IKE and IPsec lifetimes on the Unified Firewall:
1.1) Use a web browser to connect to the Unified Firewall, switch to the menu VPN → IPSec → Security Profiles and click on the "+” icon to create a new profile.
Further information on security profiles and templates for VPN connections can be found in this Knowledge Base article.
1.2) Enter the encryption settings as for the previous VPN connection and adjust the following parameters in the ISAKMP (IKE) (Phase 1) tab:
- Name: Enter a descriptive name for the security profile (in this example VPN-Office).
- SA Lifetime: Enter the required lifetime in seconds. You can enter a maximum value of 86,400 seconds (1 day).
LANCOM Systems recommends a maximum lifetime of 86,400 seconds. This is the maximum possible value and corresponds to the maximum lifetime of 86,400 seconds for IKEv2 as recommended by the BSI in November 2021.
1.3) Go to the IPsec (ESP) (Phase 2) tab, enter the encryption settings to match those of the VPN connection, and adjust the SA lifetime. Then click on Create:
- SA Lifetime: Enter the required lifetime in seconds. You can enter a maximum value of 86,400 seconds (1 day).
LANCOM Systems recommends a maximum lifetime of 28,800 seconds (8 hours). As of November 2021, the BSI (German Federal Office for Information Security) recommends a maximum lifetime of 14,400 seconds (4 hours) for IKEv2.
1.4) Switch to the menu VPN → IPsec → Connections and, for the relevant VPN connection, click the pencil icon to view the advanced settings.
1.5) Select the security profile created in steps 1.2 – 1.3 and click on Save.
2) Restart the VPN connection:
These changes only come into effect after restarting the VPN connection.
2.1) In the Connections menu, click on the “circular arrow” icon for the VPN connection to restart the connection.
2.2) Confirm the prompt by clicking on Restart.