Global IKE configuration options

Various IKE global parameters may be tuned. For most of them, modifying their value implies to restart the IKE daemon, and hence to tear down all established IPsec tunnels.

All IKE global parameters are configured in the ike sub-context.

Enter the ike sub-context:

router{conf:myconfig}sec
router{conf:myconfig-sec}ike
router{conf:myconfig-sec-ike}

Leave the ike sub-context for the sec context:

router{conf:myconfig-sec-ike}exit
router{conf:myconfig-sec}

Note

An instance of the IKE daemon is launched for each VRF in which an IKE VPN is defined. Parameters configured in the ike context are common to all instances. The expression “the IKE daemon” must be understood as “all instances of the IKE daemon”.

Number of IKE worker threads

The IKE daemon is a multi-threaded application. The total number of threads it uses may be controlled.

Set the number of worker threads run by the IKE daemon:

router{conf:myconfig-sec-ike}threads THREADS|default

Default value:

router{conf:myconfig-sec-ike}threads 16

Changing this option triggers the restart of the IKE daemon.

See also

For more details, please refer to the charon.threads option in strongSwan’s strongswan.conf configuration file.

SA hash table size

The IKE SA hash table size can be increased to improve performance when a high number of SAs is managed by the IKE daemon.

Set the size of the SA hash table in the IKE daemon:

router{conf:myconfig-sec-ike}sa-table-size SIZE|default

Default value:

router{conf:myconfig-sec-ike}sa-table-size 1

Changing this option triggers the restart of the IKE daemon.

See also

For more details, please refer to the charon.ikesa_table_size option in strongSwan’s strongswan.conf configuration file and strongSwan’s IKE SA lookup tuning.

SA hash table segments

The IKE SA hash table can be split into segments to improve performance when a high number of SAs is managed by the IKE daemon on multiple cores. Each segment will get its own lock.

Set the number of segments of the SA hash table in the IKE daemon:

router{conf:myconfig-sec-ike}sa-table-segments SEGMENTS|default

Default value:

router{conf:myconfig-sec-ike}sa-table-segments 1

Changing this option triggers the restart of the IKE daemon.

See also

For more details, please refer to the charon.ikesa_table_segments option in strongSwan’s strongswan.conf configuration file and strongSwan’s IKE SA lookup tuning.

Lifetime of SA acquire messages

When the IPsec stack requires an IPsec SA to send traffic, it raises an SA acquire message to the IKE daemon.

When receiving an acquire message, the IKE daemon initiates an IKE negotiation. No new acquire message will be triggered by the IPsec stack for this traffic flow until the negotiation is established or the acquire times out.

Set the lifetime of SA acquire messages:

router{conf:myconfig-sec-ike}acquire-timeout SECONDS|default

Default value:

router{conf:myconfig-sec-ike}acquire-timeout 30

Changing this option does not restart the IKE daemon.

See also

For more details, please refer to the charon.plugins.kernel-netlink.xfrm_acq_expires option in strongSwan’s strongswan.conf configuration file.

SPD IPv4 hash bits

The IPv4 SPs in the IPsec stack may be stored in a hash table, depending on their selector subnets.

The spd-hash-ipv4 command configures how many bits of the subnets are used in the hash. LOCAL_BITS refers to the local subnet, REMOTE_BITS to the remote one.

Only SPs whose both subnet prefix lengths are greater or equal to LOCAL_BITS and REMOTE_BITS are hashed.

Example:

if LOCAL_BITS = 16 and REMOTE_BITS = 32:

  • ipsec-rule rule1 192.168.1.0/24 192.168.2.2/32 (...) will be hashed using 192.168.0.0 (LOCAL_BITS kept) and 192.168.2.2 (REMOTE_BITS kept).
  • ipsec-rule rule2 192.168.1.0/24 192.168.2.2/24 (...) will not be hashed because the remote prefix length is lower than REMOTE_BITS.

Set SP subnet hashing bits for IPv4 policies:

router{conf:myconfig-sec-ike}spd-hash-ipv4 (LOCAL_BITS REMOTE_BITS)|default

Default value:

router{conf:myconfig-sec-ike}spd-hash-ipv4 32 32

Changing this option triggers the restart of the IKE daemon.

See also

For more details, please refer to the charon.plugins.kernel-netlink.spdh_thresh.ipv4.lbits and charon.plugins.kernel-netlink.spdh_thresh.ipv4.rbits options in strongSwan’s strongswan.conf configuration file.

SPD IPv6 hash bits

The IPv6 SPs in the IPsec stack may be stored in a hash table, depending on their selector subnets.

The spd-hash-ipv6 command configures how many bits of the subnets are used in the hash. LOCAL_BITS refers to the local subnet, REMOTE_BITS to the remote one.

Only SPs whose both subnet prefix lengths are greater or equal to LOCAL_BITS and REMOTE_BITS are hashed (see SPD IPv4 hash bits for an example).

Set SP subnet hashing bits for IPv6 policies:

router{conf:myconfig-sec-ike}spd-hash-ipv6 (LOCAL_BITS REMOTE_BITS)|default

Default value:

router{conf:myconfig-sec-ike}spd-hash-ipv6 128 128

Changing this option triggers the restart of the IKE daemon.

See also

For more details, please refer to the charon.plugins.kernel-netlink.spdh_thresh.ipv6.lbits and charon.plugins.kernel-netlink.spdh_thresh.ipv6.rbits options in strongSwan’s strongswan.conf configuration file.

DoS protection

The IKE daemon provides DoS protection using cookies and aggressiveness checks.

Enable DoS protection:

router{conf:myconfig-sec-ike}dos-protection enable

Set the number of half-open IKE SAs that activate the cookie mechanism:

router{conf:myconfig-sec-ike}cookie-threshold INTEGER|default

Set the maximum number of half-open IKE SAs for a single peer IP:

router{conf:myconfig-sec-ike}block-threshold INTEGER|default

Disable DoS protection:

router{conf:myconfig-sec-ike}dos-protection disable

Default values:

router{conf:myconfig-sec-ike}dos-protection enable
router{conf:myconfig-sec-ike}cookie-threshold 10
router{conf:myconfig-sec-ike}block-threshold 5

Changing any of these options triggers the restart of the IKE daemon.

See also

For more details, please refer to the charon.dos_protection, charon.cookie_threshold and charon.block_threshold options in strongSwan’s strongswan.conf configuration file.

Route installation

When completing an IKE negotiation, the IKE daemon may install a route to the remote private network via the negotiated IPsec tunnel. Such route is installed in a separate routing table.

This feature makes use of PBR.

Enable route installation:

router{conf:myconfig-sec-ike}install-routes enable

Specify the routing table in which routes will be installed:

router{conf:myconfig-sec-ike}routing-table TABLEID|default

Set the priority of the routing table in the PBR rules:

router{conf:myconfig-sec-ike}routing-table-prio PRIORITY|default

Disable route installation:

router{conf:myconfig-sec-ike}install-routes disable

Default values:

router{conf:myconfig-sec-ike}install-routes enable
router{conf:myconfig-sec-ike}routing-table 220
router{conf:myconfig-sec-ike}routing-table-prio 220

Changing any of these options triggers the restart of the IKE daemon.

Warning

The install-routes option must be disabled when using IKE with SVTI interfaces: it would otherwise install invalid routes.

See also

For more details, please refer to the charon.install_routes, charon.routing_table and charon.routing_table_prio options in strongSwan’s strongswan.conf configuration file.

Retransmission constants

The IKE daemon uses an exponential backoff algorithm to calculate the timeout of packets before retransmission: the timeout grows exponentially with the number of tries, following the formula:

timeout = retransmit-timeout * (retransmit-base ** try)

(where * stands for multiply and ** for power). When try reaches retransmit-tries, retransmission is given up.

Set the maximum retransmit tries:

router{conf:myconfig-sec-ike}retransmit-tries TRIES|default

Set the initial retransmit timeout:

router{conf:myconfig-sec-ike}retransmit-timeout SECONDS|default

Set the retransmit timeout multiplier:

router{conf:myconfig-sec-ike}retransmit-base MULTIPLIER|default

Default values:

router{conf:myconfig-sec-ike}retransmit-tries 5
router{conf:myconfig-sec-ike}retransmit-timeout 4.0
router{conf:myconfig-sec-ike}retransmit-base 1.8

As an illustration, when using the default values, i.e. an initial timeout of 4s, a base of 1.8, and 5 tries, the retransmission timeouts will occur as follows:

Try Timeout calculation Relative Absolute
Initial message 4s * (1.8 ** 0) 4s 4s
retransmit #1 4s * (1.8 ** 1) 7s 11s
retransmit #2 4s * (1.8 ** 2) 13s 24s
retransmit #3 4s * (1.8 ** 3) 23s 47s
retransmit #4 4s * (1.8 ** 4) 42s 89s
retransmit #5 4s * (1.8 ** 5) 76s 165s

Changing any of these options triggers the restart of the IKE daemon.

See also

For more details, please refer to the charon.retransmit_tries, charon.retransmit_timeout and charon.retransmit_base options in strongSwan’s IKE retransmission behavior.