Re: VPN Key Negotiation

D@1984 · ‎03-18-2025

Hi,

can someone please advise how much bandwidth will be utilized during the key negotiation and rekeying? just an estimation.

I have some issues with a tunnel that have lots of encryption domains (50+) and the lifetime is set to 10 minutes currently for phase1 and 30 for phase 2. endusers complaining about the poor performance and random disconnections for traffic that goes over the tunnel. looking at the logs, timewise these usually happen at the same time as the rekeying. monitoring the bandwidth, I also see peaks every half an hour which again match the key lifetime. could this disconnections caused by the small key lifetime ? or perhaps large number of encryption domains and the fact that all these SA key negotiation happening same time utilize all the available bandwidth?

Thanks

Aref Alsouqi · ‎03-18-2025

That's a good question and I don't know the answer, however, I would expect the resources used to renegotiate the keys to be minimal. I believe setting the lifetimes with such a short timers would have some impact on the user experience, and to be honest, those timers you mentioned are way agressive. I would recommend trying to increase the timers and see if that helps. Also, one thing you could potentially try to do would be summarizing those encryption domains where possible.

Rob Ingram · ‎03-19-2025

D@1984 I agree with @Aref Alsouqi the timers are too agressive, any reason why so short? If you have a lot of traffic selectors for different networks defined, you could migrate to a route based VPN, which has a TS of 0.0.0.0/0.0.0.0, so one TS to renegotiate. You should still consider longer timers, perhaps with PFS and stronger crypto for IKE and IPSec SA.

D@1984 · ‎03-19-2025

I’m not sure who agreed on these setting but it doesn’t seem that we have the any encryption domain option, it could be restriction on their firewall or their preference.