[Openswan Users] Regarding the life time for IKE SA and IPsec SA

John A. Sullivan III jsullivan at opensourcedevel.com
Mon Jan 16 13:21:14 CET 2006

On Mon, 2006-01-16 at 19:09 +0100, Paul Wouters wrote:
> On Mon, 16 Jan 2006, Shi Lang wrote:
> > Subject: [Openswan Users] Regarding the life time for IKE SA and IPsec SA
> >
> > Hi all,
> >
> > Regarding the life time for IKE SA and IPsec SA, openswan seems that the
> > default values are:
> >
> > IKE sa: 1 hour
> > IPsec sa: 8 hour
> >
> > But when I refer to other document, even like Microsoft ipsec, the default
> > values are:
> >
> > IKE sa: 8 hour
> > IPsec sa: 1 hour
> >
> > Wonderring who is right?
> I think either is allowed by the RFC. Perhaps Michael or Hugh remember why these
> choices were made?
> Paul
I recall pointing this out to the FreeS/WAN development team years ago
and I believe they replied that their choice of defaults was purely
random, i.e., they needed to put in some values so those were the ones
they chose without much thought.

I would think an IKE SA shorter than the IPSec SA is a waste of CPU,
isn't it? The IKE SA is only used to communicate the new IPSec key, I
thought.  Thus, renegotiating it several times over the life of the
IPSec key would seem to be generating completely unused IKE SAs.  Of
course, I am really only an end user and have never read the RFCs but
that's how I thought it worked - John
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

If you would like to participate in the development of an open source
enterprise class network security management system, please visit

More information about the Users mailing list