I am experimenting with built-in Windows IPsec functionality (advfirewall Connection Security Rules method) against an embedded Strongswan server. I have observed the following behavior:
- Phase 2 (quick mode) has an idle timeout of around 25 seconds.
- Phase 1 (main mode) apears to have no idle timeout, only limited by mmkeylifetime.
I would like to change these values. One because Phase 2 expires way too fast. When used for L2TP/IPsec, this also ends the vpn session and requires re-dialing. It is absurdly impractical. For Phase 1, the client continues to ping with NAT-Keepalive packets every 20 seconds indefinitely, which is wasteful, especially if every client pc is doing it.
One workaround for Phase 1 is to set mmkeylifetime low, such as 5 minutes. This causes the mm SA to expire and the keepalives to stop. However, the windows client will then stall for a whole 25 seconds and send ESP packets into the void, before finally establishing a new SA. I'm pretty sure this is not how it's supposed to work, but I have no idea why it's behaving like this.
As an aside, there's the netsh advfirewall set global saidletimemin, for which the documentation states "Security associations are deleted after network traffic is not seen for this specified period of time". This is either outright false, or, shoddy programming causes NAT-Keepalive packets to be treated as 'traffic'.
