Description:

There is no need for the IKE and IPsec lifetimes to be the same at both ends. Rekeying is initiated shortly before the negotiated lifetime expires, usually after the shorter of the two routers’ lifetimes. However, under certain circumstances the connection may be lost during rekeying. If this is the case, it may be worthwhile to increase the lifetimes so that disconnections occur less often. This does require the lifetimes on both routers to have the same or at least very similar values.

For security reasons, the lifetimes should not be too long, otherwise the keys could be compromised. Equally, the lifetimes should not be too short in order to avoid frequent and time-consuming rekeying.

This article describes how to adjust the IKEv1 lifetimes on a LANCOM router. 

Regarding the configuration of lifetimes on a third-party device, please contact the manufacturer.



Requirements:

  • LCOS as of version 8.50 (download latest version)
  • LANtools from version 8.50 (download latest version)
  • A configured and functional IKEv1 VPN connection
  • Information about the lifetimes must be available or freely selectable at both ends
  • SSH client such as PuTTY for access to the command line


Procedure:

1) Adjust the IKE lifetimes (phase 1):

1.1) Open the configuration of the router in LANconfig and navigate to VPN → IKE/IPSec → IKE proposals.  

Image of a VPN configuration interface displaying various settings including network rules, logging, monitoring, and IPSec proposals.

1.2) Click on Add to create a new proposal.

Under no circumstances should you edit or adapt the existing default proposals, otherwise other VPN connections that use the adapted proposal may no longer function correctly.

Screenshot of a complex technical configuration interface displaying various cryptic code and settings including terms like 'PreSharedKey' and 'Bytes'.

1.3) Enter the encryption settings as for the previous VPN connection and adjust the following parameters:

  • Identification: Enter a descriptive name (in this example OFFICE-PH1-PROP). The key length is limited to 17 characters.
  • Lifetime: Enter the required lifetime in seconds. A lifetime in kBytes is not configured in phase 1 because very little data is transferred here. Therefore leave the value at the default setting 0 kBytes.

LANCOM Systems recommends a maximum lifetime of 108,000 seconds (corresponds to the default setting). As of November 2021, the BSI (German Federal Office for Information Security) recommends a maximum lifetime of 86,400 seconds (1 day) for IKEv2.

Image showing a section of a technical user interface focused on encryption and authentication settings, with options for AES-CBC encryption and a pre-shared key.

1.4) Navigate to the IKE proposal lists menu.

Image of a VPN configuration interface showing various settings including IKE proposals, logging, monitoring, and routing protocols, as well as fields for defining security negotiations and encryption standards.

1.5) Click on Add to create a new IKE proposal list.

Under no circumstances should you edit or adapt the existing IKE proposal lists, otherwise other VPN connections that use the adapted list may no longer function correctly.

Image of a complex technical user interface showing various encrypted keywords and system configuration options, partially obscured by unclear text and symbols.

1.6) Enter the following parameters:

  • Identification: Enter a descriptive name (in this example OFFICE-PH1-LIST). The key length is limited to 17 characters.
  • Proposal: From the drop-down menu, select the IKE proposal created in step 1.3.

Image of a user interface featuring a menu labeled Rae Proposal JOFFICEPHIPROPv Select with multiple options listed repeatedly.



2) Adjust the IPsec lifetimes (phase 2):

2.1) Switch to the IPsec proposals menu.

The image displays a technical configuration interface for setting up and managing IKEvVPN connections, including options for defining network relationships, IKE proposals, shared keys, authentication types, and default settings for encryption, authentication, or compression in a VPN management network.

2.2) Click on Add to create a new IPsec proposal.

Under no circumstances should you edit or adapt the existing default proposals, otherwise other VPN connections that use the adapted proposal may no longer function correctly.

Image of a technical configuration screen displaying options for identification, encryption settings, and protocol parameters including key authentication, encryption standards, and lifetime settings.

2.3) Enter the encryption settings as for the previous VPN connection and adjust the following parameters:

  • Identification: Enter a descriptive name (in this example OFFICE-PH2-PROP). The key length is limited to 17 characters.
  • Lifetime: Enter the required lifetime in seconds. Leave the lifetime in kBytes at the default setting 2,000,000 kBytes

LANCOM Systems recommends a maximum lifetime of 28,800 seconds (8 hours) in combination with a data volume of 2,000,000 kBytes (corresponds to the default setting). As of November 2021, the BSI (German Federal Office for Information Security) recommends a maximum lifetime of 14,400 seconds (4 hours) for IKEv2.

Image showing a blurred or unclear section of a technical user interface with partial, illegible text.

2.4) Switch to the IPsec proposal lists menu.

Screenshot of a VPN configuration interface showcasing options for IKE VPN connections, management of SA negotiation proposals, and encryption settings.

2.5) Click on Add to create a new IPsec proposal list.

Instead of creating a new IPsec proposal list, you can also directly edit the proposal list for the VPN connection itself (in this example IPS-VPN-OFFICE). However, make absolutely sure that it is not being used by any other VPN connections, otherwise they may no longer function properly.

A screenshot of a complex technical user interface featuring various unrecognizable configuration or proposal listing codes.

2.6) Enter the following parameters:

  • Identification: Enter a descriptive name (in this example OFFICE-PH2-LIST). The key length is limited to 17 characters.
  • Proposal: From the drop-down menu, select the IPsec proposal created in step 2.3.

Image of a user interface displaying options for a proposal marked as OFFICEPHZPROP with multiple repetitive 'Poss eo' entries.



3) Assigning the adapted proposals to the VPN connection:

3.1) Switch to the menu Connection parameters.

An image displaying a configuration menu for IKEv2 VPN connections, including settings for date and time, IKE proposals, logging and monitoring, router and multicast settings, and options for managing security association negotiations through shared keys and identities.

3.2) Mark the connection parameters for the relevant VPN connection and click on Edit.

A screen displaying partial and blurred technical configuration parameters related to connection and identification settings.

3.3) In the drop-down menu, select the IKE proposal list created in the step 1.6 and at IPSec proposals list created in the step 2.6.

Screenshot of a configuration menu showcasing options for PFS group, IKE group, and IKE proposals in a network security settings interface.

3.4) This concludes the adjustment of the IKE and IPsec lifetimes. Write the configuration back to the router.



4) Restart the VPN connection:

These changes only come into effect after restarting the VPN connection. 

4.1) Restart the VPN connection using LANmonitor:

Select the VPN connection, right-click and select the context-menu option Disconnect.

Image of a LANCOMISIEF VPN connection interface showing various connection statuses including a connected VPN to OFFICEj, connection with no errors, and information about the remote gateway, IKE type, connection time, and encapsulation details.


4.2) Restart the VPN connection from the command line:

Enter the command to disconnect the VPN connection in the following format:

do Other/Manual-Dialing/Disconnect <Name of the VPN connection> 

In this example, the command would appear as follows: 

do Other/Manual-Dialing/Disconnect VPN-OFFICE

Screenshot of a technical configuration interface showing options for manual dialing, VPN disconnection, and other office actions.

 

All LANCOM products and software versions are subject to LANCOM Software Lifecycle Management.
You can find information on our website at https://www.lancom-systems.com/products/firmware/software-lifecycle-management

© 2025 LANCOM Systems GmbH