OPNsense Forum

Archive => 19.1 Legacy Series => Topic started by: putt1ck on June 08, 2019, 06:13:33 pm

Title: [SOLVED] Tuning ipsec for fastest (re)negotiation
Post by: putt1ck on June 08, 2019, 06:13:33 pm

We've got a setup with several offices, with VPNs between each site (fixed IPs, dedicated FTTP) which are used among other things for monitoring kit on each site from a central server. We're noticing that when the VPN lifetime expires the tunnel drops and then there's an odd delay before it re-establishes. For most purposes it wouldn't be an issue but the disconnect is long enough to make the monitoring send a bunch of alerts - and can disrupt inter-site backups.

Lifetimes are set at 28800 seconds for phase 1 and 2 at each end.

Are there any settings we could tweak to cause the renegotiation to take less time?

Title: Re: Tuning ipsec for fastest (re)negotiation
Post by: putt1ck on June 11, 2019, 01:23:33 pm

Ok, I may have resolved this one. A combination of using Disable Reauth on the phase 1 and limiting the encryption options on the phase 2s to a single option has reduced renegotiation times to the point that monitoring services are no longer (normally) triggered. Still get the occasional blip but that's much better than all tunnels every X hours!