[Openswan Users] Regarding the life time for IKE SA and IPsec
Peter McGill
petermcgill at goco.net
Mon Jan 16 12:08:54 CET 2006
> Regarding the life time for IKE SA and IPsec SA, openswan seems that the
> default values are:
> IKE sa: 1 hour
> IPsec sa: 8 hour
>
> But when I refer to other document, even like Microsoft ipsec, the default
> values are:
> IKE sa: 8 hour
> IPsec sa: 1 hour
Not sure who's right, I was wondering myself, however it did cause an
inter-op problem with a Nortel switch, I was working with. Until I realized
the cause and switched the values for the conn in openswan.
My connection would timeout after 1 hour.
I suspect that it is supposed to be IKE: 8, ESP: 1
The reason being, that I believe the ESP phase 2, data connection is based
on the key's negotiated in IKE phase 1, key negotiation/authentication.
If that is so, then when the IKE conn expires, is renegotiated, that the
ESP,
conn should also expire, renegotiate, since it's based on the IKE one?
I'm not sure though.
Peter McGill
Software Developer / Network Administrator
Gra Ham Energy Limited
More information about the Users
mailing list