[SOLVED] Tuning ipsec for fastest (re)negotiation

Started by putt1ck, June 08, 2019, 06:13:33 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 08, 2019, 06:13:33 PM Last Edit: June 11, 2019, 01:24:16 PM by putt1ck
We've got a setup with several offices, with VPNs between each site (fixed IPs, dedicated FTTP) which are used among other things for monitoring kit on each site from a central server. We're noticing that when the VPN lifetime expires the tunnel drops and then there's an odd delay before it re-establishes. For most purposes it wouldn't be an issue but the disconnect is long enough to make the monitoring send a bunch of alerts - and can disrupt inter-site backups.

Lifetimes are set at 28800 seconds for phase 1 and 2 at each end.

Are there any settings we could tweak to cause the renegotiation to take less time?
June 11, 2019, 01:23:33 PM #1
Ok, I may have resolved this one. A combination of using Disable Reauth on the phase 1 and limiting the encryption options on the phase 2s to a single option has reduced renegotiation times to the point that monitoring services are no longer (normally) triggered. Still get the occasional blip but that's much better than all tunnels every X hours!
Print
Go Up Pages1
User actions