Custom IPSec options

[rubensa]

In order to my connection not to be dropped after an hour of use I need to specify:

• ikelifetime=8h
• salifetime=1h

to match my server settings as according to libreswan doc default values are:

• ikelifetime=24h
• salifetime=8h

I found no way to do this using network-manager-l2tp.

Is there any way to set custom ipsec conn properties using network-manager-l2tp (any manual file setup or anything else)?

PS: Looking to this changeset I think that can be configured on NetworkManager-librewan. How about implementing that functionality in network-manager-l2tp too?

[dkosovic]

The only way currently to add custom configuration values is to modify the nm_l2tp_config_write() function in the nm-l2tp-service.c source code, in particular the IPsec config section :

• https://github.com/nm-l2tp/network-manager-l2tp/blob/master/src/nm-l2tp-service.c

It would just be a matter of adding the following two lines in that section :

write_config_option (fd, "      * ikelifetime=8h\n");
write_config_option (fd, "      * salifetime=1h\n");

In the NetworkManager-librewan GUI since version 1.2.8, it has had the following text fields and tool-tips :

• Phase1 Lifetime: how long the keying channel of a connection should last before being renegotiated. The value is expressed by a number followed by an optional 's'(econds), 'm'(inutes), 'h'(ours) or 'd'(ays) config: ikelifetime <lifetime>
• Phase2 Lifetime: how long a particular instance of a connection (a set of encryption/authentication keys for user packets) should last, from successful negotiation to expiry. The value is expressed by a number followed by an optional 's'(econds), 'm'(inutes), 'h'(ours) or 'd'(ays) config: salifetime <lifetime>

Both libreswan and strongswan have ikelifetime, but only libreswan has salifetime. To add the options to the GUI, I would like to support both libreswan and strongswan. Extract from strongswan ipsec.conf conn section reference :

• ikelifetime = 3h | <time> how long the keying channel of a connection (ISAKMP or IKE SA) should last before being renegotiated.
• lifetime = 1h | <time> how long a particular instance of a connection (a set of encryption/authentication keys for user packets) should last, from successful negotiation to expiry; acceptable values are an integer optionally followed by s (a time in seconds) or a decimal number followed by m, h, or d (a time in minutes, hours, or days respectively) (default 1h, maximum 24h). Normally, the connection is renegotiated (via the keying channel) before it expires (see margintime). The two ends need not exactly agree on lifetime, although if they do not, there will be some clutter of superseded connections on the end which thinks the lifetime is longer.

So it looks like strongswan's lifetime is probably the same as libreswan's salifetime.

I'll add "Phase1 Lifetime" and "Phase2 Lifetime" to the GUI. I'm hoping to release a new version in the next couple of weeks and I'm also adding some other options to the IPsec Config dialog box that are in the NetworkManager-strongswan GUI.

[dkosovic]

Unlike NetworkManager-libreswan, I'm not going to use text boxes for "Phase1 Lifetime" and "Phase2 Lifetime" . I would prefer to use a spin button to do hh:mm:ss.

I'm thinking of setting the spin buttons to the default settings which according to libreswan's ipsec.conf(5) are :

• ikelifetime=1h
• salifetime=8h

but thinking of maybe using strongswan's defaults instead which are 3h and 1h respectively.

Also interestingly libreswan's ipsec_pluto(8) doesn't have a salifetime, but does have a ipseclifetime with default of 28800 (eight hours).

[dkosovic]

Actually which version of NetworkManager-l2tp are you using? There was a rekeying bug with earlier versions. As mentioned in the strongswan docs for the lifetime option, normally, the connection is renegotiated (via the keying channel) before it expires.

[rubensa]

Hello @dkosovic First of all, thank you for your answer.

For libreswan, "keylife" and "lifetime" are obsoleted aliases for "salifetime".

I'm currently using Ubuntu 18.04 with network-manager-l2tp 1.2.8-2build1.

[dkosovic]

Version 1.2.8 didn't have the rekeying issue I was thinking about, older versions used to delete the PSK, consequently rekeying would break.

[rubensa]

In my case I think that the connection is closed because lifetimes misconfiguration with the Cisco server. See https://documentation.meraki.com/MX/Site-to-site_VPN/IPsec_VPN_Lifetimes (This is not my exact case, but the information applies)

[dkosovic]

Phase 1 & 2 lifetimes were added with commit https://github.com/nm-l2tp/network-manager-l2tp/commit/05053a39c2d121580bf907f2568c1f49bc5f59e8

I need to backport to nm-1-2 branch and will release a version 1.2.12 soon after.

[rubensa]

:+1: Great!! Thank you very much!

[dkosovic]

nm-1-2 branch backported.