{"type":"doc","content":[{"type":"heading","attrs":{"level":2},"content":[{"text":"Generic IKE control-plane settings","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"IKE SA limit","type":"text"}]},{"type":"paragraph","content":[{"text":"Sets the global maximum number of IKE SAs for the entire IKE control-plane. The limit applies to the sum of all IKE SAs across all IKE-based features, regardless of the IKE version or the feature profile. (This is not a per feature/profile limit).","type":"text"}]},{"type":"paragraph","content":[{"text":"This setting is essential for all IPsec RA VPN server deployments, to not exceed their available resources.","type":"text"}]},{"type":"paragraph","content":[{"text":"Log-message (mgr = 1):","type":"text"}]},{"type":"table","attrs":{"layout":"default","localId":"eb8f29ea-a9e9-47e9-be1a-7969d4b9f481"},"content":[{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"background":"initial","rowspan":1,"colwidth":[680.0]},"content":[{"type":"codeBlock","content":[{"text":"ignoring , hitting IKE_SA limit ()","type":"text"}]}]}]}]},{"type":"paragraph"},{"type":"paragraph","content":[{"text":"Default: 0 (no limit)","type":"text"}]},{"type":"table","attrs":{"layout":"default","localId":"3a5e6426-fe99-47b1-afee-e5a4a2f07b4e"},"content":[{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"background":"initial","rowspan":1,"colwidth":[680.0]},"content":[{"type":"codeBlock","content":[{"text":"# set security vpn ike ikesa-limit <10..4294967295>","type":"text"}]}]}]}]},{"type":"paragraph"},{"type":"heading","attrs":{"level":3},"content":[{"text":"Worker threads","type":"text"}]},{"type":"paragraph","content":[{"text":"The IKE control-plane tries to split as many tasks of the IKE management as possible into small jobs with different priorities. To allow efficient and parallel processing of many IKE exchanges at the same time. Five (5) worker threads are permanent occupied by dedicated jobs (network receiver, scheduler, job dispatcher, ...).","type":"text"},{"type":"hardBreak"}]},{"type":"paragraph","content":[{"text":"Default: 16","type":"text"}]},{"type":"table","attrs":{"layout":"default","localId":"958da3b1-04b6-4536-b5bc-db00735c99de"},"content":[{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"background":"initial","rowspan":1,"colwidth":[680.0]},"content":[{"type":"codeBlock","content":[{"text":"# set security vpn ike worker-threads <10-32>","type":"text"}]}]}]}]},{"type":"paragraph"},{"type":"heading","attrs":{"level":3},"content":[{"text":"IKE SA hash table parameters","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"ikesa-table-size","type":"text"}]},{"type":"paragraph","content":[{"text":"Configures the hash table size to store IKE SAs.","type":"text"}]},{"type":"paragraph","content":[{"type":"hardBreak"}]},{"type":"paragraph","content":[{"text":"Each hash table entry holds a linked-list used to store the IKE SAs. By default the hash table size is one and only holds one linked-list, which results in one single linked-list holding all IKE SAs. This is acceptable for small setups with a small amount of IKE SAs installed.","type":"text"}]},{"type":"paragraph","content":[{"text":"Setups with many IKE SAs can partiton the linked-list by creating multiple linked-list. This is done by enhancing the hash table size. The key of the hash table are based on the IKE SPIs.","type":"text"}]},{"type":"paragraph","content":[{"text":"During the hash table look a lock of the hash table is held. The ikesa-table-segements option can be used to divide the table in segments, so only partially segments get locked. The value should be a power of two, otherwise it gets rounded to the next higher of power of two.","type":"text"}]},{"type":"table","attrs":{"layout":"default","localId":"196c9670-3bf4-4995-84a3-dce85f26196e"},"content":[{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"background":"initial","rowspan":1,"colwidth":[680.0]},"content":[{"type":"codeBlock","content":[{"text":"# set security vpn ike ikesa-table-size <1..4096>","type":"text"}]}]}]}]},{"type":"paragraph"},{"type":"heading","attrs":{"level":4},"content":[{"text":"ikesa-table-segments","type":"text"}]},{"type":"paragraph","content":[{"text":"Configures the (lock) segments of the hash table to store IKE SAs. The IKE SA hash table gets divided in multiple segements, which then gets individually locked during a lookup or manipulation. The value should be a power of two, otherwise it gets rounded to the next higher of power of two.","type":"text"}]},{"type":"paragraph","content":[{"text":"Default: 1","type":"text"}]},{"type":"table","attrs":{"layout":"default","localId":"3381b00f-fcef-48b3-8f3a-3843bc248752"},"content":[{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"background":"initial","rowspan":1,"colwidth":[680.0]},"content":[{"type":"codeBlock","content":[{"text":"# set security vpn ike ikesa-table-segments <1..4096>","type":"text"}]}]}]}]},{"type":"paragraph"},{"type":"heading","attrs":{"level":3},"content":[{"text":"Interfaces","type":"text"}]},{"type":"paragraph","content":[{"text":"Interface while-list the IKE control-plane should listen to.","type":"text"}]},{"type":"paragraph","content":[{"text":"Default: any","type":"text"}]},{"type":"table","attrs":{"layout":"default","localId":"673c4c95-f12d-489c-9ec6-6f7500d9425b"},"content":[{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"background":"initial","rowspan":1,"colwidth":[680.0]},"content":[{"type":"codeBlock","content":[{"text":"# set security vpn ike interface [.. list of interfaces ...]","type":"text"}]}]}]}]},{"type":"paragraph","content":[{"type":"hardBreak"},{"type":"hardBreak"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Make-before-break","type":"text"}]},{"type":"paragraph","content":[{"text":"By default reauthentication in IKEv2 is performed in a break-before-make way. The make-before-break option allows to reauthenticate by establishing overlapping IKE SAs. This is not supported by all IKE implementations and might cause interoperability issues.","type":"text"}]},{"type":"paragraph","content":[{"text":"IKEv2 specific option.","type":"text"}]},{"type":"table","attrs":{"layout":"default","localId":"cf2bf0f7-a2e4-4d6c-afb3-4433a668f9c7"},"content":[{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"background":"initial","rowspan":1,"colwidth":[680.0]},"content":[{"type":"codeBlock","content":[{"text":"# set security vpn ike make-before-break","type":"text"}]}]}]}]},{"type":"paragraph","content":[{"type":"hardBreak"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"IKE retransmits","type":"text"}]},{"type":"paragraph","content":[{"text":"Configures retransmission of IKE protocol messages.","type":"text"},{"type":"hardBreak"},{"text":"The formula of the retransmission for each attempt (n):","type":"text"}]},{"type":"paragraph","content":[{"text":"Relative retransmission timeout = timeout * base ^ (n - 1)","type":"text"}]},{"type":"paragraph","content":[{"text":"Example with default values: tries 5, timeout 4.0, base 1.8","type":"text"}]},{"type":"table","attrs":{"layout":"default","localId":"4adef7c2-96ec-44c6-b8d1-99bf40c20e5a"},"content":[{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"background":"initial","rowspan":1,"colwidth":[680.0]},"content":[{"type":"codeBlock","content":[{"text":"#1 retransmission (n=1) after: 4.0 * 1.8 ^ (1 - 1) = 4.0s\n#2 retransmission (n=2) after: 4.0 * 1.8 ^ (2 - 1) = 7.2s\n#3 retransmission (n=3) after: 4.0 * 1.8 ^ (3 - 1) = 12.96s\n#4 retransmission (n=4) after: 4.0 * 1.8 ^ (4 - 1) = 23.328s\n#5 retransmission (n=5) after: 4.0 * 1.8 ^ (5 - 1) = 41.99040s\nLast retransmission times out : 4.0 * 1.8 ^ (6 - 1) = 75.582720s","type":"text"}]}]}]}]},{"type":"paragraph","content":[{"type":"hardBreak"},{"text":"Retransmission configuration changes will have no impact on existing IKE SA.","type":"text"},{"type":"hardBreak"},{"text":"Manual reset of IKE SA required instead.","type":"text"}]},{"type":"table","attrs":{"layout":"default","localId":"36d9459a-b06d-494d-a905-770e5bf84b16"},"content":[{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"background":"initial","rowspan":1,"colwidth":[680.0]},"content":[{"type":"codeBlock","content":[{"text":"# set security vpn ike retransmit base <1.0..4.0>\n# set security vpn ike retransmit timeout <1.0..32.0>\n# set security vpn ike retransmit tries <1..32>","type":"text"}]}]}]}]},{"type":"paragraph","content":[{"type":"hardBreak"}]},{"type":"paragraph","content":[{"text":"Log message (ike=1):","type":"text"}]},{"type":"table","attrs":{"layout":"default","localId":"a2a1a640-f6c8-4532-8ab7-2728a15bf45f"},"content":[{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"background":"initial","rowspan":1,"colwidth":[680.0]},"content":[{"type":"codeBlock","content":[{"text":"# IKEv1\nsending retransmit of request message ID , seq \nsending retransmit of response message ID , seq \nreceived retransmit of DPD request, ....\nreceived retransmit of request with ID , ....\nreceived retransmit of response with ID , ....\n \n# IKEv2\nretransmit of request with message ID \nreceived retransmit of request with ID , retransmitting response\n \n# IKEv1 & IKEv2\ngiving up after retransmits","type":"text"}]}]}]}]},{"type":"paragraph","content":[{"type":"hardBreak"}]},{"type":"paragraph","content":[{"type":"hardBreak"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Denial-of-Service protection","type":"text"}]},{"type":"paragraph","content":[{"text":"Following DoS protection is available for the IKE control-plane to reduce the impact of malicious peers or misbehaving clients cause a CPU/memory exhaustion. This might also limit the exploitation of IKE DoS amplification attacks, where the IKE control-plane is used as amplifier.","type":"text"}]},{"type":"paragraph","content":[{"type":"hardBreak"}]},{"type":"paragraph","content":[{"text":"Reducing or disabling any DoS related settings might lead to outages of the IKE control-plane if confronted with misbehaving clients or malicious peers.","type":"text"}]},{"type":"paragraph","content":[{"text":"Depending on the service deployment, the default values might not provide the required protection. IPsec RA VPN server deployments ","type":"text"},{"text":"SHOULD","type":"text","marks":[{"type":"strong"}]},{"text":" set upper limits for: IKE SA half-open limit, IKE SA limit","type":"text"}]},{"type":"paragraph","content":[{"type":"hardBreak"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Block threshold","type":"text"}]},{"type":"paragraph","content":[{"text":"Sets the maximum number of simultaneously ongoing connection attempts (\"half-open\" IKE SAs) for an individual peer IP address. If this threshold is exceeded by an individual IP address the IKE_SA_INIT packets gets dropped by the IKE control-plane, no IKE error response is sent.","type":"text"}]},{"type":"paragraph","content":[{"text":"Log message (net = 1):","type":"text"}]},{"type":"table","attrs":{"layout":"default","localId":"8330e6ba-740a-4344-b83a-37f12a8202a0"},"content":[{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"background":"initial","rowspan":1,"colwidth":[680.0]},"content":[{"type":"codeBlock","content":[{"text":"ignoring IKE_SA setup from peer too aggressive","type":"text"}]}]}]}]},{"type":"paragraph","content":[{"type":"hardBreak"}]},{"type":"paragraph","content":[{"text":"Default: 5","type":"text"}]},{"type":"table","attrs":{"layout":"default","localId":"bf2824ad-d43b-42b1-bd69-5dbffe03cc14"},"content":[{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"background":"initial","rowspan":1,"colwidth":[680.0]},"content":[{"type":"codeBlock","content":[{"text":"# set security vpn ike block-threshold <0..4294967295>","type":"text"}]}]}]}]},{"type":"paragraph","content":[{"type":"hardBreak"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"IKE SA half-open limit","type":"text"}]},{"type":"paragraph","content":[{"text":"Sets the global maximum number of simultaneously ongoing connection attempts (\"half-open\" IKE SAs), apply to all peers. If this threshold is exceeded the IKE_SA_INIT packgets get dropped by the IKE control-plane, no IKE error response is sent.","type":"text"}]},{"type":"paragraph","content":[{"text":"Log message (net = 1):","type":"text"}]},{"type":"table","attrs":{"layout":"default","localId":"6d0ff2a9-2c3e-42b5-aed7-c004b67625a4"},"content":[{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"background":"initial","rowspan":1,"colwidth":[680.0]},"content":[{"type":"codeBlock","content":[{"text":"ignoring IKE_SA setup from , half open IKE_SA count of exceeds limit of ","type":"text"}]}]}]}]},{"type":"paragraph","content":[{"type":"hardBreak"}]},{"type":"paragraph","content":[{"text":"Default: 0 (disabled)","type":"text"}]},{"type":"table","attrs":{"layout":"default","localId":"379b9e8a-ca2c-45df-83f7-27f6bb4a12ed"},"content":[{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"background":"initial","rowspan":1,"colwidth":[680.0]},"content":[{"type":"codeBlock","content":[{"text":"# set security vpn ike init-limit-half-open <10..4294967295>","type":"text"}]}]}]}]},{"type":"paragraph","content":[{"type":"hardBreak"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"IKE SA half-open timeout","type":"text"}]},{"type":"paragraph","content":[{"text":"The IKE SA half-open timeout allows to control the lifetime of an ongoing connection attempt (\"half-open\" IKE SA), before the incomplete IKE SA gets deleted inside the IKE control-plane. The intention is to release resources quickly of half-open IKE SAs, which might be a result of a malfunctioning peers or malicious peers performing a DoS trying to exhaust resources or slowing down the service. Bogus IKE SA entries in the IKE control-plane can have strong performance impact on the IKE SA lookup, which might slow down the overall IKE control-plane performance.","type":"text"}]},{"type":"paragraph","content":[{"text":"Log message (job = 1):","type":"text"}]},{"type":"table","attrs":{"layout":"default","localId":"fd9b0b62-e137-4e33-beb2-50a00cfaaba0"},"content":[{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"background":"initial","rowspan":1,"colwidth":[680.0]},"content":[{"type":"codeBlock","content":[{"text":"deleting half open IKE_SA with after timeout","type":"text"}]}]}]}]},{"type":"paragraph","content":[{"type":"hardBreak"}]},{"type":"paragraph","content":[{"text":"Default: 30 seconds","type":"text"}]},{"type":"table","attrs":{"layout":"default","localId":"0216903b-a7dc-4a3d-a706-a4675d12edbc"},"content":[{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"background":"initial","rowspan":1,"colwidth":[680.0]},"content":[{"type":"codeBlock","content":[{"text":"# set security vpn ike half-open-timeout <15..60>","type":"text"}]}]}]}]},{"type":"paragraph"},{"type":"heading","attrs":{"level":3},"content":[{"text":"Cookie threshold","type":"text"}]},{"type":"paragraph","content":[{"text":"To mitigate DDoS from many different peer addresses, IKEv2 is able to enable a cookie mechanism, if the number of ongoing connection attempts (\"half-open\" IKE SAs), of all peers, exceeds the cookie threshold.","type":"text"}]},{"type":"paragraph","content":[{"text":"The IKE control-plane will response with a IKE_SA_INIT message, including a Cookie payload. The peer needs to resend the exact same IKE_SA_INIT message as initially, including the returned Cookie payload. This proofs that the request is not send from a forge source address and that the peer is actually able to receive and process IKE messages.","type":"text"}]},{"type":"paragraph","content":[{"text":"Each cookie payload is unique. The cookie includes a randomly generated secret, which will be reused for up to 10000 and then regenerated. The individually generated cookies have a lifetime of 10 seconds.","type":"text"}]},{"type":"paragraph","content":[{"text":"If a peer sends an old cookie (cookie lifetime expired, old cookie secret), the IKE control-plane will handle this as no cookie was provided and responses as if this would be the first IKE_SA_INIT request from the peer.","type":"text"}]},{"type":"paragraph","content":[{"text":"There is a cookie mechanism calm down period of 10 seconds, which will keep the cookie mechanism for 10 seconds since the last generated cookie. This means there needs to be a period of 10 seconds of no new connection attempts, to get the cookie mechanism turned off again.","type":"text"}]},{"type":"paragraph","content":[{"text":"Cookie calm down period, cookie secret reuse limit, cookie secret length and cookie lifetime are fixed parameters, not configurable.","type":"text"}]},{"type":"paragraph","content":[{"type":"hardBreak"}]},{"type":"paragraph","content":[{"text":"Log message (net = 2):","type":"text"}]},{"type":"table","attrs":{"layout":"default","localId":"06d74670-3155-48a2-80b0-236af21d3fa0"},"content":[{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"background":"initial","rowspan":1,"colwidth":[680.0]},"content":[{"type":"codeBlock","content":[{"text":"# when cookie payload gets send as response to a IKE_SA_INIT.\n# Only indication in the logs that the cookie mechanism got active. (Unless IKE payloads logging is enabled as well)\nsending COOKIE notify to \n \n# received cookie is older then then 10 seconds:\nreceived cookie lifetime expired, rejecting\n \n# invalid cookie received (e.g. old cookie secret, spoofed IKE packet, ...):\nfound cookie, but content invalid","type":"text"}]}]}]}]},{"type":"paragraph","content":[{"text":"Log message (net = 1):","type":"text"}]},{"type":"table","attrs":{"layout":"default","localId":"274096af-bfab-4c27-80e2-818a32982015"},"content":[{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"background":"initial","rowspan":1,"colwidth":[680.0]},"content":[{"type":"codeBlock","content":[{"text":"# New cookie secret gets generated, if used more then 10000 times:\ngenerating new cookie secret after uses\n \n# Systems Random Number Generator (RNG) was not able to generate a new secret (memory pressure, low on system entropy, ...)\nfailed to allocated cookie secret, keeping old","type":"text"}]}]}]}]},{"type":"paragraph","content":[{"type":"hardBreak"}]},{"type":"paragraph","content":[{"text":"Default: 10","type":"text"}]},{"type":"table","attrs":{"layout":"default","localId":"3f37cdaa-8fd6-44ee-b0b4-906b119d68e6"},"content":[{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"background":"initial","rowspan":1,"colwidth":[680.0]},"content":[{"type":"codeBlock","content":[{"text":"# set security vpn ike cookie-threshold <0..4294967295>","type":"text"}]}]}]}]},{"type":"paragraph"},{"type":"paragraph","content":[{"text":"By default reauthentication in IKEv2 is performed in a break-before-make way. The make-before-break option allows to reauthenticate by establishing overlapping IKE SAs. This is not supported by all IKE implementations and might cause interoperability issues. IKEv2 specific option.","type":"text"}]}],"version":1}

Browser not supported