[Openswan Users] Regarding the life time for IKE SA and IPsec SA

Tuomo Soini tis at foobar.fi
Mon Jan 16 15:31:00 CET 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Shi Lang wrote:

> Regarding the life time for IKE SA and IPsec SA, openswan seems that the
> default values are:
> 
> IKE sa: 1 hour
> IPsec sa: 8 hour

These values are something pre-historic from oldest FreeS/WAN version
and nobody has ever touched them.

> But when I refer to other document, even like Microsoft ipsec, the
> default values are:
> 
> IKE sa: 8 hour 
> IPsec sa: 1 hour

These settings really make more sence than Openswan defaults in my
experience. I have used these settings for a long time with good success.

ikelifetime=2h
keylife=1h

> Wonderring who is right?

Both are correct. There is nothing to be correct or incorrect here, Just
different defaults. Different default values don't affect interoperability.

We have discussed this matter on irc several times without great success.

- --
Tuomo Soini <tis at foobar.fi>
Linux and network services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Foobar - http://enigmail.mozdev.org

iD8DBQFDy6AUTlrZKzwul1ERAveIAJ0QS8AHiTHZ4ZJg02uAlCBDQE7fCACgmOlS
g+LEYgYR9Hoyzpig3rADPkM=
=SulV
-----END PGP SIGNATURE-----


More information about the Users mailing list