From d4da77eedf1bca6f89c7b0e9969b079e484acb92 Mon Sep 17 00:00:00 2001
From: TC1977 <37350377+TC1977@users.noreply.github.com>
Date: Tue, 20 Nov 2018 11:38:53 -0500
Subject: [PATCH 1/3] Update mobileconfig.j2

Changes Child_SA lifetime to 2 hours, and IKE_SA lifetime to 12 hrs (Apple default is actually 12h for both).
---
 roles/strongswan/templates/mobileconfig.j2 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/roles/strongswan/templates/mobileconfig.j2 b/roles/strongswan/templates/mobileconfig.j2
index 6cf0ea13..10b4b82f 100644
--- a/roles/strongswan/templates/mobileconfig.j2
+++ b/roles/strongswan/templates/mobileconfig.j2
@@ -69,7 +69,7 @@
                     <key>IntegrityAlgorithm</key>
                     <string>SHA2-512</string>
                     <key>LifeTimeInMinutes</key>
-                    <integer>20</integer>
+                    <integer>120</integer>
                 </dict>
                 <key>DeadPeerDetectionRate</key>
                 <string>Medium</string>
@@ -90,7 +90,7 @@
                     <key>IntegrityAlgorithm</key>
                     <string>SHA2-512</string>
                     <key>LifeTimeInMinutes</key>
-                    <integer>20</integer>
+                    <integer>1440</integer>
                 </dict>
                 <key>LocalIdentifier</key>
                 <string>{{ item.0 }}</string>

From 1540608f8a6b4877d85155ab91e7a4fc701c6caa Mon Sep 17 00:00:00 2001
From: TC1977 <37350377+TC1977@users.noreply.github.com>
Date: Tue, 20 Nov 2018 11:56:42 -0500
Subject: [PATCH 2/3] Change server-side ipsec.conf settings

Switching to inline rekeying from reauthentication, and lengthening child_SA and IKE_SA lifetimes.
---
 roles/strongswan/templates/ipsec.conf.j2 | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/roles/strongswan/templates/ipsec.conf.j2 b/roles/strongswan/templates/ipsec.conf.j2
index 68fa3464..4f515dd8 100644
--- a/roles/strongswan/templates/ipsec.conf.j2
+++ b/roles/strongswan/templates/ipsec.conf.j2
@@ -4,11 +4,14 @@ config setup
 
 conn %default
     fragmentation=yes
-    rekey=no
+    rekey=yes
+    reauth=no
     dpdaction=clear
     keyexchange=ikev2
     compress=yes
     dpddelay=35s
+    lifetime=3h
+    ikelifetime=12h
 
 {% if algo_windows %}
     ike={{ ciphers.compat.ike }}

From 0f0ffb87c9339672205420db9cbbc79bc14add81 Mon Sep 17 00:00:00 2001
From: TC1977 <37350377+TC1977@users.noreply.github.com>
Date: Mon, 3 Dec 2018 10:36:47 -0500
Subject: [PATCH 3/3] Update mobileconfig.j2

Not sure why I had it at 120 for this. I'm running fine with both IKE lifetime and CHILD_SA lifetimes at 1440 (Apple default).
---
 roles/strongswan/templates/mobileconfig.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/strongswan/templates/mobileconfig.j2 b/roles/strongswan/templates/mobileconfig.j2
index 10b4b82f..a8123d58 100644
--- a/roles/strongswan/templates/mobileconfig.j2
+++ b/roles/strongswan/templates/mobileconfig.j2
@@ -69,7 +69,7 @@
                     <key>IntegrityAlgorithm</key>
                     <string>SHA2-512</string>
                     <key>LifeTimeInMinutes</key>
-                    <integer>120</integer>
+                    <integer>1440</integer>
                 </dict>
                 <key>DeadPeerDetectionRate</key>
                 <string>Medium</string>