From 2b6586cf1b808f8ed2027469d4902198d3c26a74 Mon Sep 17 00:00:00 2001
From: hwdsl2 <hwdsl2@users.noreply.github.com>
Date: Thu, 21 Jan 2021 23:24:41 -0600
Subject: [PATCH] Increase IKE lifetime

- Set both "ikelifetime" and "salifetime" to 24 hours, which is
  recommended since we have "rekey=no" on the server. VPN clients will
  normally initiate rekey with a shorter interval.
  Ref: https://github.com/libreswan/libreswan/issues/405#issuecomment-765109809
       https://libreswan.org/man/ipsec.conf.5.html
---
 vpnsetup.sh        | 2 ++
 vpnsetup_amzn.sh   | 2 ++
 vpnsetup_centos.sh | 2 ++
 3 files changed, 6 insertions(+)

diff --git a/vpnsetup.sh b/vpnsetup.sh
index 761736d..25cc048 100755
--- a/vpnsetup.sh
+++ b/vpnsetup.sh
@@ -274,6 +274,8 @@ conn shared
   ikev2=never
   ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
   phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
+  ikelifetime=24h
+  salifetime=24h
   sha2-truncbug=no
 
 conn l2tp-psk
diff --git a/vpnsetup_amzn.sh b/vpnsetup_amzn.sh
index 9c5419a..d3c336d 100644
--- a/vpnsetup_amzn.sh
+++ b/vpnsetup_amzn.sh
@@ -224,6 +224,8 @@ conn shared
   ikev2=never
   ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
   phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
+  ikelifetime=24h
+  salifetime=24h
   sha2-truncbug=no
 
 conn l2tp-psk
diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh
index 290f64a..01ef177 100755
--- a/vpnsetup_centos.sh
+++ b/vpnsetup_centos.sh
@@ -255,6 +255,8 @@ conn shared
   ikev2=never
   ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
   phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
+  ikelifetime=24h
+  salifetime=24h
   sha2-truncbug=no
 
 conn l2tp-psk