Adjusting Lifetime Values for IPSec VPN Using Kerio Control

Overview

This article provides information about IPSec VPN settings and describes the process of changing its lifetime values using Kerio Control.

Kerio Control uses a third-party library called Strongswan for the following IPSec lifetime values that are stored in the /etc/ipsec.conf file.

The Lifetime variable means how long a particular instance of a connection should last from successful negotiation to expiry.
The Ikelifetime variable corresponds to how long the keying channel of a connection (ISAKMP or IKE SA) should last before being renegotiated.

All supported options and values can be found in Strongswan IPSec.conf reference. The common variables that need to be changed are:

dpdtimeout = 150s | <time>
This variable defines the timeout interval, after which all connections to a peer are deleted in case of inactivity.
inactivity = <time>
This variable defines the timeout interval, after which a CHILD_SA is closed if it does not send or receive any traffic.

Log in via SSH to your Kerio Control console.
Make the system read-writable by running the command: mount -o rw,remount /
Open the /etc/ipsec.conf file (using Vim or Nano editor).
Add the following lines in the file, as seen in the screenshot below:
```
 ikelifetime="3"
 lifetime="1"
```
Note: These numbers represent hourly units.
Save changes and monitor the IPSec VPN behavior.

Note: These changes may not survive the reboot/shutdown of Kerio Control, as the ipsec.conf file regenerates during system startups. Additionally, even the disabling/enabling of the VPN server in the control admin GUI erases these lifetime parameters and reverts them to their standard values.

Choose files or drag and drop files

Tags:

Was this article helpful?

Yes