[L2TP/IPSEC] Racoon default ISAKMP SA Lifetime and IPSEC SA Lifetime
*L2TP/IPSEC: Racoon default ISAKMP SA Lifetime and IPSEC SA Lifetime hardcoded to 3600 sec*
Context:
- using OS X 10.6.6
- connect using L2TP/IPSEC to an IKE Server
Issue:
Mac OS X is using a racoon customized distribution - http://www.opensource.apple.com/source/ipsec/ipsec-93.10/
The Default template for racoon.conf configuration is generated dinamically by:
http://www.opensource.apple.com/source/ppp/ppp-412.3/Helpers/vpnd/ipsec_utils.c
Both lifetime settings are hardcoded:
- 1. for _ISAKMP SA_:
342 int
343 configure_proposal(int level, FILE *file, CFDictionaryRef ipsec_dict, CFDictionaryRef proposal_dict, char **errstr)
...
452 /*
453 Lifetime is OPTIONAL
454 */
455 {
456 u int32t lval = 3600;
457 if (proposal_dict) {
458 GetIntFromDict(proposal_dict, kRASPropIPSecProposalLifetime, &lval, 3600);
459 }
460 snprintf(text, sizeof(text), "lifetime time %d sec;\n", lval);
461 WRITE(text);
462 }
- 2. for _IPSEC SA_:
961 int
962 configure_sainfo(int level, FILE *file, CFDictionaryRef ipsec_dict, CFDictionaryRef policy, char **errstr)
..
1106 /*
1107 lifetime is OPTIONAL
1108 */
1109 {
1110 u int32t lval = 3600;
1111 if (policy)
1112 GetIntFromDict(policy, kRASPropIPSecPolicyLifetime, &lval, 3600);
1113 snprintf(text, sizeof(text), "lifetime time %d sec;\n", lval);
1114 WRITE(text);
1115 }
An example for the racoon configuration template generated automatically in case of an L2TP/IPSEC connection:
/var/run/racoon/<ip>.conf
...
proposal {
authentication_method pre sharedkey;
hash_algorithm sha1;
encryption_algorithm 3des;
lifetime time 3600 sec;
dh_group 2;
}
...
sainfo address 11.126.8.202/32 [60559] 17 address 11.126.8.149/32 [1701] 17 {
encryption_algorithm aes, 3des;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
lifetime time 3600 sec;
}
...
As you can see both ISAKMP SA lifetime and IPSEC SA lifetime are set to "3600 sec".
Since this code is common for OS X and iOS, these settings are hardcoded for all Apple platforms (Mac OS X, iPhone, iPad).
For Cisco, for example, the lifetime default values are:
ISAKMP SA lifetime: 86400 seconds / one day
IPSEC SA lifetime: 28800 seconds / 8 hours
Question:
Is there any chance that Apple will allow the configuration for these default values, or at least update them to a more standardized set of values?
Especially the current value for ISAKMP SA lifetime (1h) is quite small comparing with the common recommandations - 8h or 24h.
Thanks,
Lucian
Context:
- using OS X 10.6.6
- connect using L2TP/IPSEC to an IKE Server
Issue:
Mac OS X is using a racoon customized distribution - http://www.opensource.apple.com/source/ipsec/ipsec-93.10/
The Default template for racoon.conf configuration is generated dinamically by:
http://www.opensource.apple.com/source/ppp/ppp-412.3/Helpers/vpnd/ipsec_utils.c
Both lifetime settings are hardcoded:
- 1. for _ISAKMP SA_:
342 int
343 configure_proposal(int level, FILE *file, CFDictionaryRef ipsec_dict, CFDictionaryRef proposal_dict, char **errstr)
...
452 /*
453 Lifetime is OPTIONAL
454 */
455 {
456 u int32t lval = 3600;
457 if (proposal_dict) {
458 GetIntFromDict(proposal_dict, kRASPropIPSecProposalLifetime, &lval, 3600);
459 }
460 snprintf(text, sizeof(text), "lifetime time %d sec;\n", lval);
461 WRITE(text);
462 }
- 2. for _IPSEC SA_:
961 int
962 configure_sainfo(int level, FILE *file, CFDictionaryRef ipsec_dict, CFDictionaryRef policy, char **errstr)
..
1106 /*
1107 lifetime is OPTIONAL
1108 */
1109 {
1110 u int32t lval = 3600;
1111 if (policy)
1112 GetIntFromDict(policy, kRASPropIPSecPolicyLifetime, &lval, 3600);
1113 snprintf(text, sizeof(text), "lifetime time %d sec;\n", lval);
1114 WRITE(text);
1115 }
An example for the racoon configuration template generated automatically in case of an L2TP/IPSEC connection:
/var/run/racoon/<ip>.conf
...
proposal {
authentication_method pre sharedkey;
hash_algorithm sha1;
encryption_algorithm 3des;
lifetime time 3600 sec;
dh_group 2;
}
...
sainfo address 11.126.8.202/32 [60559] 17 address 11.126.8.149/32 [1701] 17 {
encryption_algorithm aes, 3des;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
lifetime time 3600 sec;
}
...
As you can see both ISAKMP SA lifetime and IPSEC SA lifetime are set to "3600 sec".
Since this code is common for OS X and iOS, these settings are hardcoded for all Apple platforms (Mac OS X, iPhone, iPad).
For Cisco, for example, the lifetime default values are:
ISAKMP SA lifetime: 86400 seconds / one day
IPSEC SA lifetime: 28800 seconds / 8 hours
Question:
Is there any chance that Apple will allow the configuration for these default values, or at least update them to a more standardized set of values?
Especially the current value for ISAKMP SA lifetime (1h) is quite small comparing with the common recommandations - 8h or 24h.
Thanks,
Lucian
