Overview
This article provides information about IPSec VPN settings and describes the process of changing its lifetime values using Kerio Control.
About IPSec VPN Settings
Kerio Control uses a third-party library called Strongswan for the following IPSec lifetime values that are stored in the /etc/ipsec.conf file.
- The
Lifetimevariable means how long a particular instance of a connection should last from successful negotiation to expiry. - The
Ikelifetimevariable corresponds to how long the keying channel of a connection (ISAKMP or IKE SA) should last before being renegotiated.
All supported options and values can be found in Strongswan IPSec.conf reference. The common variables that need to be changed are:
dpdtimeout = 150s | <time>
This variable defines the timeout interval, after which all connections to a peer are deleted in case of inactivity.inactivity = <time>
This variable defines the timeout interval, after which a CHILD_SA is closed if it does not send or receive any traffic.
Changing Lifetime Values for IPSec VPN
- Log in via SSH to your Kerio Control console.
- Make the system read-writable by running the command:
mount -o rw,remount / - Open the
/etc/ipsec.conffile (using Vim or Nano editor). - Add the following lines in the file, as seen in the screenshot below:
ikelifetime="3"
lifetime="1"
Note: These numbers represent hourly units.
- Save changes and monitor the IPSec VPN behavior.
Note: These changes may not survive the reboot/shutdown of Kerio Control, as the ipsec.conf file regenerates during system startups. Additionally, even the disabling/enabling of the VPN server in the control admin GUI erases these lifetime parameters and reverts them to their standard values.