Hello Gary,
Thank you for your detailed response.
Here's a summary of what I've tried so far to change the main mode lifetime setting for L2TP over IPsec VPN on a Windows 10 machine, where I aim to reduce the default 8-hour lifetime to 1 hour:
- PowerShell Commands: I utilized PowerShell to retrieve and modify the IPsec settings, and to restart the related services. Here are some of the specific commands I used:
Get-NetIPsecMainModeSA
Get-NetIPsecQuickModeSA
Set-NetIPsecMainModeCryptoSet -KeyLifetimeHours 1Get-NetIPsecMainModeCryptoSet
Get-NetIPsecQuickModeCryptoSet
Restart-Service -Name IKEEXT -Force
Restart-Service -Name PolicyAgent -Force
- NETSH Commands: I used
netsh
to adjust the key lifetime and view the existing policies and global settings:netsh advfirewall set global mainmode mmkeylifetime 60min
netsh advfirewall monitor show mmsa
netsh advfirewall show global
- GUI: I navigated through the Windows Firewall with Advanced Security to the IPsec settings:
- Path: Right panel -> Properties -> IPsec Settings -> Customize IPsec defaults -> Key Exchange (advanced).
- Here, I changed the settings from the default 8 hours to 1 hour.
- Updated the Ipsec policy used in gegotiations
Despite these changes, during the negotiation phase, the settings seem not to be applied as the peer still receives an 8-hour lifetime proposal.
Control over Settings: I have administrative control over the VPN client settings on the Windows 10 machine. The VPN server is a Cisco router which sees the lifetime proposed by the client as 8 hours.
Reason for Change: The main reason for wanting to change the Phase 1 lifetime is due to the behavior of Phase 2, which is set to renegotiate every 1 hour. Each time Phase 2 renegotiates, it triggers Phase 1 to renegotiate as well, although the previous session remains open for the remaining 7 hours. This cycle increases traffic unnecessarily, as multiple sessions are open concurrently. Ideally, I would like to align the Phase 1 lifetime closer to the Phase 2 duration to optimize the traffic and management of these sessions.
It feels like lifetime is hardcoded and it does not comply with any changes I have made by following microsoft documentation and anything else I found on Internet.
Note: L2TP over IPSec is in transport mode, as it does not support tunnel mode, but Microsoft is not specific what are the limitations in this instance, wether mmkeylifetime can be changed or not:
Thank you for your assistance.
Regards