IPsec/IKE manual

Generic IKE control-plane settings

IKE SA limit

Sets the global maximum number of IKE SAs for the entire IKE control-plane. The limit applies to the sum of all IKE SAs across all IKE-based features, regardless of the IKE version or the feature profile. (This is not a per feature/profile limit).

This setting is essential for all IPsec RA VPN server deployments, to not exceed their available resources.

Log-message (mgr = 1):

ignoring <message-type>, hitting IKE_SA limit (<configured ikesa-limit>)

 

Default: 0 (no limit)

# set security vpn ike ikesa-limit <10..4294967295>

 

Worker threads

The IKE control-plane tries to split as many tasks of the IKE management as possible into small jobs with different priorities. To allow efficient and parallel processing of many IKE exchanges at the same time. Five (5) worker threads are permanent occupied by dedicated jobs (network receiver, scheduler, job dispatcher, ...).

Default: 16

# set security vpn ike worker-threads <10-32>

 

IKE SA hash table parameters

ikesa-table-size

Configures the hash table size to store IKE SAs.



Each hash table entry holds a linked-list used to store the IKE SAs. By default the hash table size is one and only holds one linked-list, which results in one single linked-list holding all IKE SAs. This is acceptable for small setups with a small amount of IKE SAs installed.

Setups with many IKE SAs can partiton the linked-list by creating multiple linked-list. This is done by enhancing the hash table size. The key of the hash table are based on the IKE SPIs.

During the hash table look a lock of the hash table is held. The ikesa-table-segements option can be used to divide the table in segments, so only partially segments get locked. The value should be a power of two, otherwise it gets rounded to the next higher of power of two.

 

ikesa-table-segments

Configures the (lock) segments of the hash table to store IKE SAs. The IKE SA hash table gets divided in multiple segements, which then gets individually locked during a lookup or manipulation. The value should be a power of two, otherwise it gets rounded to the next higher of power of two.

Default: 1

 

Interfaces

Interface while-list the IKE control-plane should listen to.

Default: any




Make-before-break

By default reauthentication in IKEv2 is performed in a break-before-make way. The make-before-break option allows to reauthenticate by establishing overlapping IKE SAs. This is not supported by all IKE implementations and might cause interoperability issues.

IKEv2 specific option.



IKE retransmits

Configures retransmission of IKE protocol messages.
The formula of the retransmission for each attempt (n):

Relative retransmission timeout = timeout * base ^ (n - 1)

Example with default values: tries 5, timeout 4.0, base 1.8


Retransmission configuration changes will have no impact on existing IKE SA.
Manual reset of IKE SA required instead.



Log message (ike=1):





Denial-of-Service protection

Following DoS protection is available for the IKE control-plane to reduce the impact of  malicious peers or misbehaving clients cause a CPU/memory exhaustion. This might also limit the exploitation of IKE DoS amplification attacks, where the IKE control-plane is used as amplifier.



Reducing or disabling any DoS related settings might lead to outages of the IKE control-plane if confronted with misbehaving clients or malicious peers.

Depending on the service deployment, the default values might not provide the required protection. IPsec RA VPN server deployments SHOULD set upper limits for: IKE SA half-open limit, IKE SA limit



Block threshold

Sets the maximum number of simultaneously ongoing connection attempts ("half-open" IKE SAs) for an individual peer IP address. If this threshold is exceeded by an individual IP address the IKE_SA_INIT packets gets dropped by the IKE control-plane, no IKE error response is sent.

Log message (net = 1):



Default: 5



IKE SA half-open limit

Sets the global maximum number of simultaneously ongoing connection attempts ("half-open" IKE SAs), apply to all peers. If this threshold is exceeded the IKE_SA_INIT packgets get dropped by the IKE control-plane, no IKE error response is sent.

Log message (net = 1):



Default: 0 (disabled)



IKE SA half-open timeout

The IKE SA half-open timeout allows to control the lifetime of an ongoing connection attempt ("half-open" IKE SA), before the incomplete IKE SA gets deleted inside the IKE control-plane. The intention is to release resources quickly of half-open IKE SAs, which might be a result of a malfunctioning peers or malicious peers performing a DoS trying to exhaust resources or slowing down the service. Bogus IKE SA entries in the IKE control-plane can have strong performance impact on the IKE SA lookup, which might slow down the overall IKE control-plane performance.

Log message (job = 1):



Default: 30 seconds

 

To mitigate DDoS from many different peer addresses, IKEv2 is able to enable a cookie mechanism, if the number of ongoing connection attempts ("half-open" IKE SAs), of all peers, exceeds the cookie threshold.

The IKE control-plane will response with a IKE_SA_INIT message, including a Cookie payload. The peer needs to resend the exact same IKE_SA_INIT message as initially, including the returned Cookie payload. This proofs that the request is not send from a forge source address and that the peer is actually able to receive and process IKE messages.

Each cookie payload is unique. The cookie includes a randomly generated secret, which will be reused for up to 10000 and then regenerated. The individually generated cookies have a lifetime of 10 seconds.

If a peer sends an old cookie (cookie lifetime expired, old cookie secret), the IKE control-plane will handle this as no cookie was provided and responses as if this would be the first IKE_SA_INIT request from the peer.

There is a cookie mechanism calm down period of 10 seconds, which will keep the cookie mechanism for 10 seconds since the last generated cookie. This means there needs to be a period of 10 seconds of no new  connection attempts, to get the cookie mechanism turned off again.

Cookie calm down period, cookie secret reuse limit, cookie secret length and cookie lifetime are fixed parameters, not configurable.



Log message (net = 2):

Log message (net = 1):



Default: 10

 

By default reauthentication in IKEv2 is performed in a break-before-make way. The make-before-break option allows to reauthenticate by establishing overlapping IKE SAs. This is not supported by all IKE implementations and might cause interoperability issues. IKEv2 specific option.