From d969b8e1b65273ef92a1e386529735ffb6e2acc4 Mon Sep 17 00:00:00 2001
From: TC1977 <37350377+TC1977@users.noreply.github.com>
Date: Tue, 9 Apr 2019 08:37:08 -0400
Subject: [PATCH] Fix 963 again (#1379)

* Create charon.conf.j2

Create charon.conf template with mods

* Update mobileconfig.j2

Increase client side lifetimes

* Update ipsec.conf.j2

Add server-side lifetimes

* Add charon.conf
---
 .../strongswan/tasks/ipsec_configuration.yml  |   5 +
 roles/strongswan/templates/charon.conf.j2     | 365 ++++++++++++++++++
 roles/strongswan/templates/ipsec.conf.j2      |   2 +
 roles/strongswan/templates/mobileconfig.j2    |   4 +-
 4 files changed, 374 insertions(+), 2 deletions(-)
 create mode 100644 roles/strongswan/templates/charon.conf.j2

diff --git a/roles/strongswan/tasks/ipsec_configuration.yml b/roles/strongswan/tasks/ipsec_configuration.yml
index ce5b3e5..af19ed4 100644
--- a/roles/strongswan/tasks/ipsec_configuration.yml
+++ b/roles/strongswan/tasks/ipsec_configuration.yml
@@ -23,6 +23,11 @@
       owner: strongswan
       group: "{{ root_group|default('root') }}"
       mode: "0600"
+    - src: charon.conf.j2
+      dest: "strongswan.d/charon.conf"
+      owner: root
+      group: "{{ root_group|default('root') }}"
+      mode: "0644"
   notify:
     - restart strongswan
 
diff --git a/roles/strongswan/templates/charon.conf.j2 b/roles/strongswan/templates/charon.conf.j2
new file mode 100644
index 0000000..303c92f
--- /dev/null
+++ b/roles/strongswan/templates/charon.conf.j2
@@ -0,0 +1,365 @@
+# Options for the charon IKE daemon.
+charon {
+
+    # Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
+    # accept_unencrypted_mainmode_messages = no
+
+    # Maximum number of half-open IKE_SAs for a single peer IP.
+    # block_threshold = 5
+
+    # Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP
+    # should be saved under a unique file name derived from the public key of
+    # the Certification Authority (CA) to /etc/ipsec.d/crls (stroke) or
+    # /etc/swanctl/x509crl (vici), respectively.
+    # cache_crls = no
+
+    # Whether relations in validated certificate chains should be cached in
+    # memory.
+    # cert_cache = yes
+
+    # Send Cisco Unity vendor ID payload (IKEv1 only).
+    # cisco_unity = no
+
+    # Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed.
+     close_ike_on_child_failure = yes
+
+    # Number of half-open IKE_SAs that activate the cookie mechanism.
+    # cookie_threshold = 10
+
+    # Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only).
+    # delete_rekeyed = no
+
+    # Delay in seconds until inbound IPsec SAs are deleted after rekeyings
+    # (IKEv2 only).
+    # delete_rekeyed_delay = 5
+
+    # Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
+    # strength.
+    # dh_exponent_ansi_x9_42 = yes
+
+    # Use RTLD_NOW with dlopen when loading plugins and IMV/IMCs to reveal
+    # missing symbols immediately.
+    # dlopen_use_rtld_now = no
+
+    # DNS server assigned to peer via configuration payload (CP).
+    # dns1 =
+
+    # DNS server assigned to peer via configuration payload (CP).
+    # dns2 =
+
+    # Enable Denial of Service protection using cookies and aggressiveness
+    # checks.
+    # dos_protection = yes
+
+    # Compliance with the errata for RFC 4753.
+    # ecp_x_coordinate_only = yes
+
+    # Free objects during authentication (might conflict with plugins).
+    # flush_auth_cfg = no
+
+    # Whether to follow IKEv2 redirects (RFC 5685).
+    # follow_redirects = yes
+
+    # Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
+    # when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults
+    # to 1280 (use 0 for address family specific default values, which uses a
+    # lower value for IPv4).  If specified this limit is used for both IPv4 and
+    # IPv6.
+    # fragment_size = 1280
+
+    # Name of the group the daemon changes to after startup.
+    # group =
+
+    # Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
+     half_open_timeout = 5
+
+    # Enable hash and URL support.
+    # hash_and_url = no
+
+    # Allow IKEv1 Aggressive Mode with pre-shared keys as responder.
+    # i_dont_care_about_security_and_use_aggressive_mode_psk = no
+
+    # Whether to ignore the traffic selectors from the kernel's acquire events
+    # for IKEv2 connections (they are not used for IKEv1).
+    # ignore_acquire_ts = no
+
+    # A space-separated list of routing tables to be excluded from route
+    # lookups.
+    # ignore_routing_tables =
+
+    # Maximum number of IKE_SAs that can be established at the same time before
+    # new connection attempts are blocked.
+    # ikesa_limit = 0
+
+    # Number of exclusively locked segments in the hash table.
+    # ikesa_table_segments = 1
+
+    # Size of the IKE_SA hash table.
+    # ikesa_table_size = 1
+
+    # Whether to close IKE_SA if the only CHILD_SA closed due to inactivity.
+     inactivity_close_ike = yes
+
+    # Limit new connections based on the current number of half open IKE_SAs,
+    # see IKE_SA_INIT DROPPING in strongswan.conf(5).
+    # init_limit_half_open = 0
+
+    # Limit new connections based on the number of queued jobs.
+    # init_limit_job_load = 0
+
+    # Causes charon daemon to ignore IKE initiation requests.
+    # initiator_only = no
+
+    # Install routes into a separate routing table for established IPsec
+    # tunnels.
+    # install_routes = yes
+
+    # Install virtual IP addresses.
+    # install_virtual_ip = yes
+
+    # The name of the interface on which virtual IP addresses should be
+    # installed.
+    # install_virtual_ip_on =
+
+    # Check daemon, libstrongswan and plugin integrity at startup.
+    # integrity_test = no
+
+    # A comma-separated list of network interfaces that should be ignored, if
+    # interfaces_use is specified this option has no effect.
+    # interfaces_ignore =
+
+    # A comma-separated list of network interfaces that should be used by
+    # charon. All other interfaces are ignored.
+    # interfaces_use =
+
+    # NAT keep alive interval.
+     keep_alive = 25s
+
+    # Plugins to load in the IKE daemon charon.
+    # load =
+
+    # Determine plugins to load via each plugin's load option.
+    # load_modular = no
+
+    # Initiate IKEv2 reauthentication with a make-before-break scheme.
+    # make_before_break = no
+
+    # Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep state about
+    # and track concurrently.
+    # max_ikev1_exchanges = 3
+
+    # Maximum packet size accepted by charon.
+    # max_packet = 10000
+
+    # Enable multiple authentication exchanges (RFC 4739).
+    # multiple_authentication = yes
+
+    # WINS servers assigned to peer via configuration payload (CP).
+    # nbns1 =
+
+    # WINS servers assigned to peer via configuration payload (CP).
+    # nbns2 =
+
+    # UDP port used locally. If set to 0 a random port will be allocated.
+    # port = 500
+
+    # UDP port used locally in case of NAT-T. If set to 0 a random port will be
+    # allocated.  Has to be different from charon.port, otherwise a random port
+    # will be allocated.
+    # port_nat_t = 4500
+
+    # Whether to prefer updating SAs to the path with the best route.
+    # prefer_best_path = no
+
+    # Prefer locally configured proposals for IKE/IPsec over supplied ones as
+    # responder (disabling this can avoid keying retries due to
+    # INVALID_KE_PAYLOAD notifies).
+    # prefer_configured_proposals = yes
+
+    # By default public IPv6 addresses are preferred over temporary ones (RFC
+    # 4941), to make connections more stable. Enable this option to reverse
+    # this.
+    # prefer_temporary_addrs = no
+
+    # Process RTM_NEWROUTE and RTM_DELROUTE events.
+    # process_route = yes
+
+    # Delay in ms for receiving packets, to simulate larger RTT.
+    # receive_delay = 0
+
+    # Delay request messages.
+    # receive_delay_request = yes
+
+    # Delay response messages.
+    # receive_delay_response = yes
+
+    # Specific IKEv2 message type to delay, 0 for any.
+    # receive_delay_type = 0
+
+    # Size of the AH/ESP replay window, in packets.
+    # replay_window = 32
+
+    # Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION
+    # in strongswan.conf(5).
+    # retransmit_base = 1.8
+
+    # Maximum jitter in percent to apply randomly to calculated retransmission
+    # timeout (0 to disable).
+    # retransmit_jitter = 0
+
+    # Upper limit in seconds for calculated retransmission timeout (0 to
+    # disable).
+    # retransmit_limit = 0
+
+    # Timeout in seconds before sending first retransmit.
+    # retransmit_timeout = 4.0
+
+    # Number of times to retransmit a packet before giving up.
+    # retransmit_tries = 5
+
+    # Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if
+    # DNS resolution failed), 0 to disable retries.
+    # retry_initiate_interval = 0
+
+    # Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1).
+     reuse_ikesa = yes
+
+    # Numerical routing table to install routes to.
+    # routing_table =
+
+    # Priority of the routing table.
+    # routing_table_prio =
+
+    # Whether to use RSA with PSS padding instead of PKCS#1 padding by default.
+    # rsa_pss = no
+
+    # Delay in ms for sending packets, to simulate larger RTT.
+    # send_delay = 0
+
+    # Delay request messages.
+    # send_delay_request = yes
+
+    # Delay response messages.
+    # send_delay_response = yes
+
+    # Specific IKEv2 message type to delay, 0 for any.
+    # send_delay_type = 0
+
+    # Send strongSwan vendor ID payload
+    # send_vendor_id = no
+
+    # Whether to enable Signature Authentication as per RFC 7427.
+    # signature_authentication = yes
+
+    # Whether to enable constraints against IKEv2 signature schemes.
+    # signature_authentication_constraints = yes
+
+    # The upper limit for SPIs requested from the kernel for IPsec SAs.
+    # spi_max = 0xcfffffff
+
+    # The lower limit for SPIs requested from the kernel for IPsec SAs.
+    # spi_min = 0xc0000000
+
+    # Number of worker threads in charon.
+    # threads = 16
+
+    # Name of the user the daemon changes to after startup.
+    # user =
+
+    crypto_test {
+
+        # Benchmark crypto algorithms and order them by efficiency.
+        # bench = no
+
+        # Buffer size used for crypto benchmark.
+        # bench_size = 1024
+
+        # Number of iterations to test each algorithm.
+        # bench_time = 50
+
+        # Test crypto algorithms during registration (requires test vectors
+        # provided by the test-vectors plugin).
+        # on_add = no
+
+        # Test crypto algorithms on each crypto primitive instantiation.
+        # on_create = no
+
+        # Strictly require at least one test vector to enable an algorithm.
+        # required = no
+
+        # Whether to test RNG with TRUE quality; requires a lot of entropy.
+        # rng_true = no
+
+    }
+
+    host_resolver {
+
+        # Maximum number of concurrent resolver threads (they are terminated if
+        # unused).
+        # max_threads = 3
+
+        # Minimum number of resolver threads to keep around.
+        # min_threads = 0
+
+    }
+
+    leak_detective {
+
+        # Includes source file names and line numbers in leak detective output.
+        # detailed = yes
+
+        # Threshold in bytes for leaks to be reported (0 to report all).
+        # usage_threshold = 10240
+
+        # Threshold in number of allocations for leaks to be reported (0 to
+        # report all).
+        # usage_threshold_count = 0
+
+    }
+
+    processor {
+
+        # Section to configure the number of reserved threads per priority class
+        # see JOB PRIORITY MANAGEMENT in strongswan.conf(5).
+        priority_threads {
+
+        }
+
+    }
+
+    # Section containing a list of scripts (name = path) that are executed when
+    # the daemon is started.
+    start-scripts {
+
+    }
+
+    # Section containing a list of scripts (name = path) that are executed when
+    # the daemon is terminated.
+    stop-scripts {
+
+    }
+
+    tls {
+
+        # List of TLS encryption ciphers.
+        # cipher =
+
+        # List of TLS key exchange methods.
+        # key_exchange =
+
+        # List of TLS MAC algorithms.
+        # mac =
+
+        # List of TLS cipher suites.
+        # suites =
+
+    }
+
+    x509 {
+
+        # Discard certificates with unsupported or unknown critical extensions.
+        # enforce_critical = yes
+
+    }
+
+}
diff --git a/roles/strongswan/templates/ipsec.conf.j2 b/roles/strongswan/templates/ipsec.conf.j2
index 68fa346..7cd27c9 100644
--- a/roles/strongswan/templates/ipsec.conf.j2
+++ b/roles/strongswan/templates/ipsec.conf.j2
@@ -9,6 +9,8 @@ conn %default
     keyexchange=ikev2
     compress=yes
     dpddelay=35s
+    lifetime=3h
+    ikelifetime=12h
 
 {% if algo_windows %}
     ike={{ ciphers.compat.ike }}
diff --git a/roles/strongswan/templates/mobileconfig.j2 b/roles/strongswan/templates/mobileconfig.j2
index 6cf0ea1..a8123d5 100644
--- a/roles/strongswan/templates/mobileconfig.j2
+++ b/roles/strongswan/templates/mobileconfig.j2
@@ -69,7 +69,7 @@
                     <key>IntegrityAlgorithm</key>
                     <string>SHA2-512</string>
                     <key>LifeTimeInMinutes</key>
-                    <integer>20</integer>
+                    <integer>1440</integer>
                 </dict>
                 <key>DeadPeerDetectionRate</key>
                 <string>Medium</string>
@@ -90,7 +90,7 @@
                     <key>IntegrityAlgorithm</key>
                     <string>SHA2-512</string>
                     <key>LifeTimeInMinutes</key>
-                    <integer>20</integer>
+                    <integer>1440</integer>
                 </dict>
                 <key>LocalIdentifier</key>
                 <string>{{ item.0 }}</string>