-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Shi Lang wrote:
> IKE SA = 1 hour by default:
> 
> 1.      freeswan
> 2.      openswan
> 3.      strongswan

I did some police work.
RFC2407 specifies in:

4.5 IPSEC Security Association Attributes

...
           If unspecified, the default value shall be
assumed to be
           28800 seconds (8 hours).
...

So default value for IPSEC SA is selected for reason.

And I found out that f.ex juniper has same defaults as
*swan.

Another issue is short IKE SA lifetime. It seems to be
common
interoperability issue that responder has shorter IKE
lifetime than
initiator.

I attach patch to address that for known windows
connections. Same patch
 removes things for type=transport and rightsubnet which
should be fixed
for 2.4.5 so it can be defined.

- --
Tuomo Soini <tisfoobar.fi>
Linux and network services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Foobar - http://enigmail.mozdev.org


iD8DBQFDzK4kTlrZKzwul1ERAnH0AJ97sibQ3wUBtmGmYVPFV6d/VWUWSwCg
p3MR
NsHPi4BDejQvqHSb4nxUofY=
=jhTk
-----END PGP SIGNATURE-----
---
openswan-2.4.5rc4/programs/examples/l2tp-cert.conf.in.lifeti
me	2005-11-01 20:10:07.000000000 +0200
+++
openswan-2.4.5rc4/programs/examples/l2tp-cert.conf.in	2006-0
1-17 10:37:29.000000000 +0200
 -10,18
+10,20 
 	authby=rsasig
 	pfs=no
 	auto=add
-        # we cannot rekey for %any, let client rekey
+	# we cannot rekey for %any, let client rekey
 	rekey=no
-        # Do not enable the line below. It is implicitely
used, and
-        # specifying it will currently break when using
nat-t.
-        # type=transport. See http://bugs
.xelerance.com/view.php?id=466
+	# Set ikelifetime and keylife to same defaults windows has
+	ikelifetime=8h
+	keylife=1h
+	# l2tp-over-ipsec is transport mode
+	type=transport
 	#
 	left=%defaultroute
-        # or you can use: left=YourIPAddress
+	# or you can use: left=YourIPAddress
 	leftrsasigkey=%cert
 	leftcert=/etc/ipsec.d/certs/YourGatewayCertHere.pem
 	# For updated Windows 2000/XP clients,
-        # to support old clients as well, use
leftprotoport=17/%any
+	# to support old clients as well, use
leftprotoport=17/%any
 	leftprotoport=17/1701
 	#
 	# The remote user.
---
openswan-2.4.5rc4/programs/examples/l2tp-cert-orgWIN2KXP.con
f.in.lifetime	2005-11-01 20:10:07.000000000 +0200
+++
openswan-2.4.5rc4/programs/examples/l2tp-cert-orgWIN2KXP.con
f.in	2006-01-17 10:37:42.000000000 +0200
 -8,12
+8,14 
 	authby=rsasig
 	pfs=no
 	auto=add
-        # we cannot rekey for %any, let client rekey
-        rekey=no
-        # Do not enable the line below. It is implicitely
used, and
-        # specifying it will currently break when using
nat-t.
-        # type=transport. See http://bugs
.xelerance.com/view.php?id=466
-        #
+	# we cannot rekey for %any, let client rekey
+	rekey=no
+	# Set ikelifetime and keylife to same defaults windows has
+	ikelifetime=8h
+	keylife=1h
+	# l2tp-over-ipsec is transport mode
+	type=transport
+	#
 	left=%defaultroute
 	# or you can use: left=YourIPAddress
 	leftrsasigkey=%cert
 -25,8
+27,8 
 	# The remote user.
 	#
 	right=%any
-        rightca=%same
+	rightca=%same
 	rightrsasigkey=%cert
 	rightprotoport=17/1701
-        rightsubnet=vhost:%priv,%no
+	rightsubnet=vhost:%priv,%no
 
---
openswan-2.4.5rc4/programs/examples/l2tp-psk.conf.in.lifetim
e	2005-11-24 10:37:43.000000000 +0200
+++
openswan-2.4.5rc4/programs/examples/l2tp-psk.conf.in	2006-01
-17 10:37:56.000000000 +0200
 -1,5
+1,5 
 conn L2TP-PSK-NAT
-        rightsubnet=vhost:%priv
+	rightsubnet=vhost:%priv
 	also=L2TP-PSK-noNAT
 
 conn L2TP-PSK-noNAT
 -12,17
+12,21 
 	# Use a Preshared Key. Disable Perfect Forward Secrecy.
 	#
 	# PreSharedSecret needs to be specified in
/etc/ipsec.secrets as
-	# YourIPAddress  %any: "sharedsecret"
+	# YourIPAddress	 %any: "sharedsecret"
 	authby=secret
 	pfs=no
 	auto=add
 	keyingtries=3
 	# we cannot rekey for %any, let client rekey
 	rekey=no
+	# Set ikelifetime and keylife to same defaults windows has
+	ikelifetime=8h
+	keylife=1h
+	# l2tp-over-ipsec is transport mode
 	type=transport
 	#
-        left=%defaultroute
-        # or you can use: left=YourIPAddress
+	left=%defaultroute
+	# or you can use: left=YourIPAddress
 	#
 	# For updated Windows 2000/XP clients,
 	# to support old clients as well, use
leftprotoport=17/%any
---
openswan-2.4.5rc4/programs/examples/l2tp-psk-orgWIN2KXP.conf
.in.lifetime	2005-11-01 20:10:07.000000000 +0200
+++
openswan-2.4.5rc4/programs/examples/l2tp-psk-orgWIN2KXP.conf
.in	2006-01-17 10:38:08.000000000 +0200
 -7,15
+7,17 
 	#
 	authby=secret
 	pfs=no
-        auto=add
-        # we cannot rekey for %any, let client rekey
-        rekey=no
-        # Do not enable the line below. It is implicitely
used, and
-        # specifying it will currently break when using
nat-t.
-        # type=transport. See http://bugs
.xelerance.com/view.php?id=466
-        #
-        left=%defaultroute
-        # or you can use: left=YourIPAddress
+	auto=add
+	# we cannot rekey for %any, let client rekey
+	rekey=no
+	# Set ikelifetime and keylife to same defaults windows has
+	ikelifetime=8h
+	keylife=1h
+	# l2tp-over-ipsec is transport mode
+	type=transport
+	#
+	left=%defaultroute
+	# or you can use: left=YourIPAddress
 	#
 	# Required for original (non-updated) Windows 2000/XP
clients.
 	# to support new clients as well, use
leftprotoport=17/%any
 -25,4
+27,4 
 	#
 	right=%any
 	rightprotoport=17/1701
-        rightsubnet=vhost:%priv,%no
+	rightsubnet=vhost:%priv,%no
_______________________________________________
Dev mailing list
Devopenswan.org
http:/
/lists.openswan.org/mailman/listinfo/dev

On Tue, 17 Jan 2006, Tuomo Soini wrote:

> I attach patch to address that for known windows
connections.

What does this fix? We have tested l2tp connection and they
stay up
for 24+ hours without those addeded ikelifetime= and
lifetime=
settings.

What is the problem you are seeing?

Paul
_______________________________________________
Dev mailing list
Devopenswan.org
http:/
/lists.openswan.org/mailman/listinfo/dev

Thanks very much!

Just now I looked at this patch you provided. It indicates
that:
+	ikelifetime=8h
+	keylife=1h

I have one doubt about your last sentence:
"I attach patch to address that for known windows
connections. Same patch
 removes things for type=transport and rightsubnet which
should be fixed
for 2.4.5 so it can be defined."

Do you mean the release openswan-2.4.5rc4 will add this
patch like existing
natt, klips patches?

Thanks.

Regards,
 
Shi Lang
Quality Assurance Engineer
GreenPacket Bhd
www.greenpacket.com 
Tel: 006-03-89966022 ext: 105
E-mail: shilanggreenpacket.com


-----Original Message-----
From: Tuomo Soini [mailto:tisfoobar.fi] 
Sent: Tuesday, January 17, 2006 4:43 PM
To: Shi Lang
Cc: 'Paul Wouters'; Openswan DEV
Subject: Re: [Openswan Users] Regarding the life time for
IKE SA and IPsecSA

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Shi Lang wrote:
> IKE SA = 1 hour by default:
> 
> 1.      freeswan
> 2.      openswan
> 3.      strongswan

I did some police work.
RFC2407 specifies in:

4.5 IPSEC Security Association Attributes

...
           If unspecified, the default value shall be
assumed to be
           28800 seconds (8 hours).
...

So default value for IPSEC SA is selected for reason.

And I found out that f.ex juniper has same defaults as
*swan.

Another issue is short IKE SA lifetime. It seems to be
common
interoperability issue that responder has shorter IKE
lifetime than
initiator.

I attach patch to address that for known windows
connections. Same patch
 removes things for type=transport and rightsubnet which
should be fixed
for 2.4.5 so it can be defined.

- --
Tuomo Soini <tisfoobar.fi>
Linux and network services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Foobar - http://enigmail.mozdev.org


iD8DBQFDzK4kTlrZKzwul1ERAnH0AJ97sibQ3wUBtmGmYVPFV6d/VWUWSwCg
p3MR
NsHPi4BDejQvqHSb4nxUofY=
=jhTk
-----END PGP SIGNATURE-----

_______________________________________________
Dev mailing list
Devopenswan.org
http:/
/lists.openswan.org/mailman/listinfo/dev

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paul Wouters wrote:
> On Tue, 17 Jan 2006, Tuomo Soini wrote:
> 
> 
>>I attach patch to address that for known windows
connections.
> 
> 
> What does this fix? We have tested l2tp connection and
they stay up
> for 24+ hours without those addeded ikelifetime= and
lifetime=
> settings.
> 
> What is the problem you are seeing?

I have noticed that when l2tp-over-ipsec connection with
windwos road
warrior goes broken it takes hours to get it working again.
Using same
default values as windows uses we could drop IPSEC SA sooner
making
recovering connection faster.

Usually it's beest to have similar settings on both ends.

No real bug fixed (other than old warning about type=tunnel
and cosmetic
stuff).

- --
Tuomo Soini <tisfoobar.fi>
Linux and network services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Foobar - http://enigmail.mozdev.org


iD8DBQFDzTmxTlrZKzwul1ERAg7qAJ4oKeSi+sgjrneesJn05uXlCMtKgwCf
Qj+0
5ANYHh6aptYKyhIy10hTgCM=
=PifI
-----END PGP SIGNATURE-----
_______________________________________________
Dev mailing list
Devopenswan.org
http:/
/lists.openswan.org/mailman/listinfo/dev

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tuomo Soini wrote:
> No real bug fixed (other than old warning about
type=tunnel and cosmetic
> stuff).

Aargh. type=transport ...

- --
Tuomo Soini <tisfoobar.fi>
Linux and network services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Foobar - http://enigmail.mozdev.org


iD8DBQFDzToFTlrZKzwul1ERAkHdAKCPZro9r2fGE4oc+FvYQt5YJNp21QCf
bC0y
ZqbBEm2QleAN+qh2RzDa5Hg=
=oJfa
-----END PGP SIGNATURE-----
_______________________________________________
Dev mailing list
Devopenswan.org
http:/
/lists.openswan.org/mailman/listinfo/dev