[Openswan Users] Regarding the life time for IKE SA and IPsecSA

Shi Lang shilang at greenpacket.com
Tue Jan 17 09:09:56 CET 2006

Hi all,

I found that:
Nowadays, the following have set the IKE SA lifetime = 8 hours and IPsec SA
1 hour by default.

1.        Microsoft:   Key management and protection (Updated: January 21,
2.        novell:
3.        Dell:
4.        Netcomm:
5.        Cisco Pix v6.3.1

It seems like the default values are as of Industrial Standard

IKE SA = 1 hour by default:

1.      freeswan
2.      openswan
3.      strongswan

Shi Lang
Quality Assurance Engineer
GreenPacket Bhd
Tel: 006-03-89966022 ext: 105
E-mail: shilang at greenpacket.com

-----Original Message-----
From: John A. Sullivan III [mailto:jsullivan at opensourcedevel.com] 
Sent: Tuesday, January 17, 2006 2:21 AM
To: Paul Wouters
Cc: Shi Lang; users at openswan.org
Subject: Re: [Openswan Users] Regarding the life time for IKE SA and IPsecSA

On Mon, 2006-01-16 at 19:09 +0100, Paul Wouters wrote:
> On Mon, 16 Jan 2006, Shi Lang wrote:
> > Subject: [Openswan Users] Regarding the life time for IKE SA and IPsec
> >
> > Hi all,
> >
> > Regarding the life time for IKE SA and IPsec SA, openswan seems that the
> > default values are:
> >
> > IKE sa: 1 hour
> > IPsec sa: 8 hour
> >
> > But when I refer to other document, even like Microsoft ipsec, the
> > values are:
> >
> > IKE sa: 8 hour
> > IPsec sa: 1 hour
> >
> > Wonderring who is right?
> I think either is allowed by the RFC. Perhaps Michael or Hugh remember why
> choices were made?
> Paul
I recall pointing this out to the FreeS/WAN development team years ago
and I believe they replied that their choice of defaults was purely
random, i.e., they needed to put in some values so those were the ones
they chose without much thought.

I would think an IKE SA shorter than the IPSec SA is a waste of CPU,
isn't it? The IKE SA is only used to communicate the new IPSec key, I
thought.  Thus, renegotiating it several times over the life of the
IPSec key would seem to be generating completely unused IKE SAs.  Of
course, I am really only an end user and have never read the RFCs but
that's how I thought it worked - John
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

If you would like to participate in the development of an open source
enterprise class network security management system, please visit

More information about the Users mailing list