[Openswan Users] Regarding the life time for IKE SA and IPsec

Peter McGill petermcgill at goco.net
Mon Jan 16 12:08:54 CET 2006


> Regarding the life time for IKE SA and IPsec SA, openswan seems that the
> default values are:
> IKE sa: 1 hour
> IPsec sa: 8 hour
>
> But when I refer to other document, even like Microsoft ipsec, the default
> values are:
> IKE sa: 8 hour
> IPsec sa: 1 hour

Not sure who's right, I was wondering myself, however it did cause an
inter-op problem with a Nortel switch, I was working with. Until I realized
the cause and switched the values for the conn in openswan.
My connection would timeout after 1 hour.
I suspect that it is supposed to be IKE: 8, ESP: 1
The reason being, that I believe the ESP phase 2, data connection is based
on the key's negotiated in IKE phase 1, key negotiation/authentication.
If that is so, then when the IKE conn expires, is renegotiated, that the 
ESP,
conn should also expire, renegotiate, since it's based on the IKE one?
I'm not sure though.


Peter McGill
Software Developer / Network Administrator
Gra Ham Energy Limited 



More information about the Users mailing list