[Openswan Users] Regarding the life time for IKE SA and IPsec

Shi Lang shilang at greenpacket.com
Wed Jan 18 09:47:38 CET 2006


Hi, peter,

Thanks for replying me.

You said "however it did cause an inter-op problem with a Nortel switch,"
Can you explain it more details?


Regards,

Regards,
 
Shi Lang
Quality Assurance Engineer
GreenPacket Bhd
www.greenpacket.com 


-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Peter McGill
Sent: Tuesday, January 17, 2006 1:09 AM
To: users at openswan.org
Subject: Re: [Openswan Users] Regarding the life time for IKE SA and IPsec

> Regarding the life time for IKE SA and IPsec SA, openswan seems that the
> default values are:
> IKE sa: 1 hour
> IPsec sa: 8 hour
>
> But when I refer to other document, even like Microsoft ipsec, the default
> values are:
> IKE sa: 8 hour
> IPsec sa: 1 hour

Not sure who's right, I was wondering myself, however it did cause an
inter-op problem with a Nortel switch, I was working with. Until I realized
the cause and switched the values for the conn in openswan.
My connection would timeout after 1 hour.
I suspect that it is supposed to be IKE: 8, ESP: 1
The reason being, that I believe the ESP phase 2, data connection is based
on the key's negotiated in IKE phase 1, key negotiation/authentication.
If that is so, then when the IKE conn expires, is renegotiated, that the 
ESP,
conn should also expire, renegotiate, since it's based on the IKE one?
I'm not sure though.


Peter McGill
Software Developer / Network Administrator
Gra Ham Energy Limited 

_______________________________________________
Users mailing list
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users



More information about the Users mailing list