<html>
<head>
<style>
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Verdana
}
</style>
</head>
<body class='hmmessage'>
All, <br><br>My client is interested in expiring the SA based on elapsed time, traffic volume, and having the ability to manually expire an SA.<br><br>I have found the ipsec.conf file contains the parameters "keylife" for IPsec SA and "ikelifetime" for ISAKMP SA. Both of these parameters allow the user to set the time before new SAs are negotiated. <br><br>Does anyone know how I would allow the expiration of the SA manually or based on traffic volume? <br><br>Thank you,<br><br><p class="EC_EC_MsoNormal" style=""><a name="_MailAutoSig"><span style="font-size: 12pt;"><font color="#000000"><font face="Calibri">*********************************</font></font></span></a></p>
<p class="EC_EC_MsoNormal" style=""><span style=""><b style=""><i style=""><span style="font-size: 12pt;"><font color="#000000"><font face="Calibri">Jennifer Agarwal</font></font></span></i></b></span></p>
<p class="EC_EC_MsoNormal" style=""><span style=""><span style=""><font size="3"><font color="#000000"><font face="Calibri">President / Principal Engineer<br></font></font></font></span></span></p>
<p class="EC_EC_MsoNormal" style=""><span style=""><span style=""><font size="3"><font color="#000000"><font face="Calibri">Exquisite Software Solutions, LLC</font></font></font></span></span></p>
<p class="EC_EC_MsoNormal" style=""><span style=""><span style=""><font size="3"><font color="#000000"><font face="Calibri">(240) 483-8619</font></font></font></span></span></p>
<p class="EC_EC_MsoNormal" style=""><span style=""><span style=""><font size="3"><font color="#000000"><font face="Calibri">jsagarwal@exqss.com</font></font></font></span></span></p>
<p class="EC_EC_MsoNormal" style=""><span style=""><span style="font-size: 12pt; font-family: 'Arial','sans-serif';"><font color="#000000"> </font></span></span></p>
<p class="EC_EC_MsoNormal" style=""><span style=""><span style="font-size: 12pt;"><font color="#000000"><font face="Calibri">*********************************</font></font></span></span></p><br><br><br><br>> Date: Thu, 11 Dec 2008 14:40:30 -0500<br>> From: paul@xelerance.com<br>> To: jsagarwal@exqss.com<br>> CC: users@openswan.org<br>> Subject: Re: [Openswan Users] "ike" parameter in ipsec.conf file<br>> <br>> On Thu, 11 Dec 2008, Jennifer Agarwal wrote:<br>> <br>> > I am having trouble understanding the "ike" parameter in the ipsec.conf file. According to the man page<br>> > <br>> > ike=cipher-hash-modgroup but what are all the possible choices. <br>> <br>> Mostly 3des,aes for cipher, sha1,md5,sha256 for hash, and modgroup's modp1024, modp1536,modp2048 etc.<br>> <br>> > 000 "ipsec0": IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=strict<br>> > 000 "ipsec0": IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)<br>> > 000 "ipsec0": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024<br>> <br>> Btw. I would not call your connection "ipsec0", that is very confusing as that is an interface name, not<br>> a connection name.<br>> <br>> > So it looks like the tunnel has been negotiated with SA#45. Should I be concerned with the "wanted" "found" and newest not all matching?<br>> <br>> the 000 just means any acceptable keysize (192, 256)<br>> <br>> > If anyone could provide me with further examples of what is allowed for the parameter "ike" I would appreciate it. <br>> <br>> There are many examples in the testsuite in testing/pluto/*ike*<br>> <br>> Paul<br><br /><hr />Express yourself with gadgets on Windows Live Spaces <a href='http://discoverspaces.live.com?source=hmtag1&loc=us' target='_new'>Try it!</a></body>
</html>