[Openswan Users] Regarding the life time for IKE SA and IPsec
Shi Lang
shilang at greenpacket.com
Wed Jan 18 09:47:38 CET 2006
Hi, peter,
Thanks for replying me.
You said "however it did cause an inter-op problem with a Nortel switch,"
Can you explain it more details?
Regards,
Regards,
Shi Lang
Quality Assurance Engineer
GreenPacket Bhd
www.greenpacket.com
-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Peter McGill
Sent: Tuesday, January 17, 2006 1:09 AM
To: users at openswan.org
Subject: Re: [Openswan Users] Regarding the life time for IKE SA and IPsec
> Regarding the life time for IKE SA and IPsec SA, openswan seems that the
> default values are:
> IKE sa: 1 hour
> IPsec sa: 8 hour
>
> But when I refer to other document, even like Microsoft ipsec, the default
> values are:
> IKE sa: 8 hour
> IPsec sa: 1 hour
Not sure who's right, I was wondering myself, however it did cause an
inter-op problem with a Nortel switch, I was working with. Until I realized
the cause and switched the values for the conn in openswan.
My connection would timeout after 1 hour.
I suspect that it is supposed to be IKE: 8, ESP: 1
The reason being, that I believe the ESP phase 2, data connection is based
on the key's negotiated in IKE phase 1, key negotiation/authentication.
If that is so, then when the IKE conn expires, is renegotiated, that the
ESP,
conn should also expire, renegotiate, since it's based on the IKE one?
I'm not sure though.
Peter McGill
Software Developer / Network Administrator
Gra Ham Energy Limited
_______________________________________________
Users mailing list
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
More information about the Users
mailing list