[Openswan Users] question about ike_life/ipsec_life

Andy fs at globalnetit.com
Sat Oct 15 03:05:05 CEST 2005


Actually, if by "typically" we mean that we're using the default values,
this is not correct, I believe.

According to ipsec.conf(5), keylife (phase 2) default is 8 hours,
ikelifetime default is 1 hour. So "typically", phase 2 lifetime is
longer than phase 1.

Maximums are given as 24 hours and 8 hours respectively.

[The same defaults are also given in ipsec_pluto(8), assuming keylife is
equivalent to --ipseclifetime, but there's some disagreement there about
the maximum, which is given as 24 hours for both. I think ipsec.conf(5)
is correct in that regard.]

It's not clear to me whether it's "correct" to have a longer lifetime
for one SA or the other. But I note that Cisco's defaults for their PIX
appliance are the other way around - they use 1 day for IKE/phase 1, 8
hours for ipsec/phase 2, according to their online documentation.

Perhaps a debate about what values are "appropriate" (rather that
"correct") is in order... Opinions, anyone?




On Tue, 2005-09-27 at 16:12 +0200, Paul Wouters wrote:
> On Tue, 27 Sep 2005, Agent Smith wrote:
> 
> > ike_life is set by the keyword ikelifetime which is
> > phase 1 timeout (maximum supported is 8 hr.)
> >
> > ipsec_life is set by keylife keyword and that is phase
> > 2 timeout.
> >
> > phase 2 timeout is typically less then phase 1
> > timeout.
> >
> > correct?
> 
> Yes
> 
> Paul
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
-- 
Andy <fs at globalnetit.com>



More information about the Users mailing list