IKEv2 Session Resumption


By enabling the IKEv2 session resumption, an initiator (client) can try to resume a VPN connection at low load when it was disconnected from a responder (gateway / concentrator).

This works if Automatically reconnect VPN is enabled (checked on UI). Also, you should enable MOBIKE and QCD (Quick Crash Detection). Actually, these are enabled by default.



- Enable or disable Session Resumption.


By default, the session resumption is enabled for an initiator and is disabled for a responder. You can change them on Global Configuration tab of Web console.

- Global Configuration[Tab] > Global Settings[Tab]

  1. Check or uncheck Enable for an initiator (client) and/or Enable for a responder (concentrator / gateway).

  2. Save the global configuration.

  3. Restart Rockhopper like this (e.g. Ubuntu):

    # sudo /etc/init.d/rockhopper restart
    or
    # sudo systemctl restart rockhopper


- Enable a one-time-use session ticket.


By default, each session ticket presented by initiator (client) to resume a VPN connection is revoked by responder (concentrator / gateway) based on the validity term. More securely, you can enable a one-time-use property for the ticket and then the responder can reject it if a misbehaving initiator tries to reuse it. This is implemented by Bloom filter and so the automatic session resumption infrequently fails. However, it is not a problem because a VPN client's user or a VPN initiator can connect the VPN again in a regular way (i.e. It starts an IKE_SA_INIT exchange again).

See also IKEv2 Session Resumption [RFC5723] - 4.3. Presenting a Ticket and 9.8. Ticket Revocation for more details.


- Global Configuration[Tab] > Global Settings[Tab]

  1. Check or uncheck Reject session tickets reused by misbehaving initiators.

  2. Save the global configuration.

  3. Restart Rockhopper like this (e.g. Ubuntu):

    # sudo /etc/init.d/rockhopper restart
    or
    # sudo systemctl restart rockhopper


- Configure Session Resumption service for a responder (concentrator / gateway)


You can change the session resumption's configuration by adding related settings on Global Configuration tab of Web console. All settings are for a responder (concentrator / gateway).

- Global Configuration[Tab] > Global Settings[Tab]

  1. Click Add VPN's Settings button and show the Add a New Global Setting (VPN) dialog.

  2. Select a setting name and enter a setting value on the dialog, then click OK button.

  3. Save the global configuration.

  4. Restart Rockhopper like this (e.g. Ubuntu):

    # sudo /etc/init.d/rockhopper restart
    or
    # sudo systemctl restart rockhopper

Name Value Default value Description
ikev2_sess_resume_key
_update_interval
Number of seconds 43600 (seconds) The update interval for a key to encrypt and decrypt session tickets. The old key is also maintained for the same seconds and can be used to decrypt received session tickets. Therefore, the key is valid for the doubled seconds.
ikev2_sess_resume
_ticket_lifetime
Number of seconds 43200 (seconds) A validity term of a session ticket to resume a VPN connection. This value must be less than IKE SA's lifetime seconds.
ikev2_sess_resume_tkt_rvk
_bfltr_false_ratio
Number of false ratio 0.0001 (ratio) A Bloom filter's false ratio to detect reused tickets. The smaller value is specified, the more memory space is needed.
ikev2_sess_resume_tkt_rvk
_bfltr_max_tkts
Number of tickets 110000 The maximum number of session tickets which can be handled for ticket's revocation by Bloom filter. The larger value is specified, the more memory space is needed. When received tickets reached the number, a current encryption key is deleted and a new key is generated.



- Reset IKEv2 Session Resumption Keys.


A secret key to encrypt and decrypt session tickets is generated by a responder (concentrator / gateway) after the first boot and is periodically updated (see the above ikev2_sess_resume_key_update_interval). It is saved to the file "sess_resume_key". (/home/rhpprotected/config/sess_resume_key).

You can manually reset and update the key on Management tab of Web console.

- Management[Tab] > IKEv2[Tab] > Reset an IKEv2 Session Resumption Key.

  1. Click Reset key button.

  2. Restart Rockhopper like this (e.g. Ubuntu):

    # sudo /etc/init.d/rockhopper restart
    or
    # sudo systemctl restart rockhopper

Also, you can do it by command-line tool 'rockhopper' (/usr/local/sbin/rockhopper).

# rockhoper reset-sess-resume-key

Restart Rockhopper like this (e.g. Ubuntu):
# sudo /etc/init.d/rockhopper restart
or
# sudo systemctl restart rockhopper



- RFC


Back to Top