-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mike Horn wrote:
> Hi,
>
> I wanted to get a quick clarification on the key
lifetimes in Openswan.
> From man ipsec.conf I see:
>
> keylife = IPsec SA lifetime with 8hr default and max
24hr
> ikelifetime = IKE SA lifetime with 1hr default and max
8hr
from include/ietf_constants.h:
...
/* Oakley Lifetime Type attribute
* draft-ietf-ipsec-ike-01.txt appendix A
* As far as I can see, there is not specification for
* OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT. This could lead to
interop
problems!
* For no particular reason, we chose one hour.
* The value of OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM is our
local policy.
*/
extern enum_names oakley_lifetime_names;
#define OAKLEY_LIFE_SECONDS 1
#define OAKLEY_LIFE_KILOBYTES 2
#define OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT 3600 /* one
hour */
#define OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM 86400 /* 1 day
*/
...
Maximum used to be 28800 on FreeS/WAN but it was fixed in
Super-FreeS/WAN because it caused interop problems.
I agree that longer default lifetime could be good idea.
Using 8h for ISAKMP lifetime default could be good idea.
Setting shorter
lifetime for IPSEC SA might cause too much rekeying if you
have lots of
tunnels. I don't have so many tunnels that it hurts so I
generally use
ikelifetime=9h
keylife=1h
- --
Tuomo Soini <tis foobar.fi>
Linux and network services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iD8DBQFFOQ3JTlrZKzwul1ERAsv+AKCbOjNHTva0n88HldVEiDURQjn52QCe
I7dC
E8ZcI37r6AdNc0NjAT8M5PU=
=Xqon
-----END PGP SIGNATURE-----
_______________________________________________
Usersopenswan.org
http
://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with
Openswan:
http://www.amazon.com/gp/product/1904811
256/104-3099591-2946327?n=283155
|