[Openswan dev] RE: [Openswan Users] Regarding the life time for IKE SA and IPsecSA

Shi Lang shilang at greenpacket.com
Tue Jan 17 17:17:43 CET 2006 

Thanks very much!

Just now I looked at this patch you provided. It indicates that:
+	ikelifetime=8h
+	keylife=1h

I have one doubt about your last sentence:
"I attach patch to address that for known windows connections. Same patch
 removes things for type=transport and rightsubnet which should be fixed
for 2.4.5 so it can be defined."

Do you mean the release openswan-2.4.5rc4 will add this patch like existing
natt, klips patches?

Thanks.

Regards,
 
Shi Lang
Quality Assurance Engineer
GreenPacket Bhd
www.greenpacket.com 
Tel: 006-03-89966022 ext: 105
E-mail: shilang at greenpacket.com


-----Original Message-----
From: Tuomo Soini [mailto:tis at foobar.fi] 
Sent: Tuesday, January 17, 2006 4:43 PM
To: Shi Lang
Cc: 'Paul Wouters'; Openswan DEV
Subject: Re: [Openswan Users] Regarding the life time for IKE SA and IPsecSA

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Shi Lang wrote:
> IKE SA = 1 hour by default:
> 
> 1.      freeswan
> 2.      openswan
> 3.      strongswan

I did some police work.
RFC2407 specifies in:

4.5 IPSEC Security Association Attributes

...
           If unspecified, the default value shall be assumed to be
           28800 seconds (8 hours).
...

So default value for IPSEC SA is selected for reason.

And I found out that f.ex juniper has same defaults as *swan.

Another issue is short IKE SA lifetime. It seems to be common
interoperability issue that responder has shorter IKE lifetime than
initiator.

I attach patch to address that for known windows connections. Same patch
 removes things for type=transport and rightsubnet which should be fixed
for 2.4.5 so it can be defined.

- --
Tuomo Soini <tis at foobar.fi>
Linux and network services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Foobar - http://enigmail.mozdev.org

iD8DBQFDzK4kTlrZKzwul1ERAnH0AJ97sibQ3wUBtmGmYVPFV6d/VWUWSwCgp3MR
NsHPi4BDejQvqHSb4nxUofY=
=jhTk
-----END PGP SIGNATURE-----

More information about the Dev mailing list