From 7d9f2c6603252d6da1623f8074a1fa0b49583b4e Mon Sep 17 00:00:00 2001
From: hwdsl2 <hwdsl2@users.noreply.github.com>
Date: Wed, 20 Jan 2021 01:39:07 -0600
Subject: [PATCH] Fix IKEv2

- Fix an issue with IKEv2 disconnecting after one hour due to IKE SA
  expiration, by setting ikelifetime and salifetime to 24h.
  Ref: #913 #844 https://libreswan.org/man/ipsec.conf.5.html
---
 docs/ikev2-howto-zh.md | 2 ++
 docs/ikev2-howto.md    | 2 ++
 extras/ikev2setup.sh   | 6 ++++--
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md
index 38efcc5..078c53c 100644
--- a/docs/ikev2-howto-zh.md
+++ b/docs/ikev2-howto-zh.md
@@ -342,6 +342,8 @@ wget https://git.io/ikev2setup -O ikev2.sh && sudo bash ikev2.sh --auto
      fragmentation=yes
      ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
      phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
+     ikelifetime=24h
+     salifetime=24h
    EOF
    ```
 
diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md
index 307127f..5ef16f3 100644
--- a/docs/ikev2-howto.md
+++ b/docs/ikev2-howto.md
@@ -342,6 +342,8 @@ As an alternative to using the [helper script](#using-helper-scripts), advanced
      fragmentation=yes
      ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
      phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
+     ikelifetime=24h
+     salifetime=24h
    EOF
    ```
 
diff --git a/extras/ikev2setup.sh b/extras/ikev2setup.sh
index 47a093e..e6d21e4 100644
--- a/extras/ikev2setup.sh
+++ b/extras/ikev2setup.sh
@@ -595,7 +595,7 @@ cat > "$mc_file" <<EOF
           <key>EncryptionAlgorithm</key>
           <string>AES-256-GCM</string>
           <key>LifeTimeInMinutes</key>
-          <integer>1440</integer>
+          <integer>1410</integer>
         </dict>
         <key>DeadPeerDetectionRate</key>
         <string>Medium</string>
@@ -614,7 +614,7 @@ cat > "$mc_file" <<EOF
           <key>IntegrityAlgorithm</key>
           <string>SHA2-256</string>
           <key>LifeTimeInMinutes</key>
-          <integer>1440</integer>
+          <integer>1410</integer>
         </dict>
         <key>LocalIdentifier</key>
         <string>$client_name</string>
@@ -796,6 +796,8 @@ conn ikev2-cp
   fragmentation=yes
   ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
   phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
+  ikelifetime=24h
+  salifetime=24h
   encapsulation=yes
 EOF