IPSec VPN Session Reauthentication Issues and Workaround

Zyxel_Kevin

Question:

How to manage IPSec VPN session reauthentication when the GUI setting isn't working, and what is the permanent solution?

Answer:

The reauthentication/lease time setting for IPSec VPN sessions may not function as expected through the User Interface (GUI), leading to sessions remaining active beyond their configured duration. This is due to a known software bug.

• Root Cause: The reauth/lease time setting within the Userfield in the GUI was incorrectly applied to IPSec users; it was originally designed for Web Authentication only. This has been identified as a bug that will be addressed in a future firmware release.
• Resolution:
  • Immediate Workaround (CLI Configuration):
    To enforce reauthentication for IPSec VPN users immediately, you can use the Command Line Interface (CLI) via SSH.
    • Steps:
      1. Log in via SSH to your device.
      2. Enter configuration mode: edit running
      3. Set the reauthentication time (e.g., 8 hours): vrf main ike ike-policy-template RemoteAccessike-t reauth-time 8h
      4. Commit the changes: commit
      5. To ensure the setting persists across reboots, save the running configuration to startup: copy running startup
    • Important Notes:
      • This CLI command applies the reauthentication time to all VPN users.
      • Manually changing this setting via SSH will not cause issues with the WebGUI, and subsequent changes in the WebGUI will not undo this manual setting.
  • Permanent Fix (Firmware Update):
    A permanent fix for this issue, allowing proper reauthentication configuration via the GUI for IPSec VPN users, is expected in the next firmware release (FCS), estimated for October. Users should monitor for this release.