Adjusting Values for IPSec VPN Using Kerio Control

Overview

Kerio Control uses a third-party library called Strongswan for the following IPSec lifetime values that are stored in the /etc/ipsec.conf file.

The Lifetime variable means how long a particular instance of a connection should last from successful negotiation to expiry.
The Ikelifetime variable corresponds to how long the keying channel of a connection (ISAKMP or IKE SA) should last before being renegotiated.

Note: These numbers represent hourly units.

All supported options and values can be found in Strongswan IPSec.conf reference. The common variables that need to be changed are:

dpdtimeout = 150s | <time>
This variable defines the timeout interval, after which all connections to a peer are deleted in case of inactivity.
inactivity = <time>
This variable defines the timeout interval, after which a CHILD_SA is closed if it does not send or receive any traffic.

Log in via SSH to your Kerio Control console.
Execute the following command on all the IPSec tunnels you need.
/opt/kerio/winroute/tinydbclient "update VpnTunnels_v2 set CustomOptions={'rekey="no"', 'reauth="no"', 'lifetime="1h"','ikelifetime="8h"'} where name='Test'"
Note: replace 'Test' with the name of your Tunnel.

IMPORTANT: if the tunnel-name contains any of the following characters, they should be escaped in the command: Period (.), Asterisk (*), Plus (+), Question Mark (?), Caret (^), Dollar Sign ($), Parentheses (( and )), Brackets ([ and ]), Braces ({ and }), Pipe (|), Backslash (\), Slash (/), Quote ('), Double Quotes (").

For example: a tunnel named "VPN (external)", should be rewritten as "VPN $external$" when the command is run
(Optional) Restart Kerio Control if the settings are not propagating.
Reconnect the VPN tunnel from the Kerio Control Webadmin and confirm that the changes are now persistent.

Choose files or drag and drop files

Tags:

Was this article helpful?

Yes