Overview

This article provides information about IPSec VPN settings and describes the process of changing its lifetime, rekey, and reauth values using Kerio Control.

Diagnosis

About IPSec VPN Settings

Kerio Control uses a third-party library called Strongswan for the following IPSec lifetime values that are stored in the /etc/ipsec.conf file.

• The Lifetime variable means how long a particular instance of a connection should last from successful negotiation to expiry.
• The Ikelifetime variable corresponds to how long the keying channel of a connection (ISAKMP or IKE SA) should last before being renegotiated.

Note: These numbers represent hourly units.

All supported options and values can be found in Strongswan IPSec.conf reference. The common variables that need to be changed are:

• dpdtimeout = 150s | <time>
  This variable defines the timeout interval, after which all connections to a peer are deleted in case of inactivity.
• inactivity = <time>
  This variable defines the timeout interval, after which a CHILD_SA is closed if it does not send or receive any traffic.

Back to Top

Solution

Changing Values for IPSec VPN

1. Log in via SSH to your Kerio Control console.
2. Execute the following command on all the IPSec tunnels you need.
   /opt/kerio/winroute/tinydbclient "update VpnTunnels_v2 set CustomOptions={'rekey="no"', 'reauth="no"', 'lifetime="1h"','ikelifetime="8h"'} where name='Test'"


   Note: replace 'Test' with the name of your Tunnel.

3. (Optional) Restart Kerio Control if the settings are not propagating.
4. Reconnect the VPN tunnel from the Kerio Control Webadmin and confirm that the changes are now persistent.

Back to Top

Related Articles

• Enabling IKEv2 Support in Kerio Control
• Configuring IPSec VPN Client on Linux Debian-based OS