[Openswan Users] Key lifetimes
Tuomo Soini
tis at foobar.fi
Fri Oct 20 13:56:25 EDT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mike Horn wrote:
> Hi,
>
> I wanted to get a quick clarification on the key lifetimes in Openswan.
> From man ipsec.conf I see:
>
> keylife = IPsec SA lifetime with 8hr default and max 24hr
> ikelifetime = IKE SA lifetime with 1hr default and max 8hr
from include/ietf_constants.h:
...
/* Oakley Lifetime Type attribute
* draft-ietf-ipsec-ike-01.txt appendix A
* As far as I can see, there is not specification for
* OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT. This could lead to interop \
problems!
* For no particular reason, we chose one hour.
* The value of OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM is our local policy.
*/
extern enum_names oakley_lifetime_names;
#define OAKLEY_LIFE_SECONDS 1
#define OAKLEY_LIFE_KILOBYTES 2
#define OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT 3600 /* one hour */
#define OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM 86400 /* 1 day */
...
Maximum used to be 28800 on FreeS/WAN but it was fixed in
Super-FreeS/WAN because it caused interop problems.
I agree that longer default lifetime could be good idea.
Using 8h for ISAKMP lifetime default could be good idea. Setting shorter
lifetime for IPSEC SA might cause too much rekeying if you have lots of
tunnels. I don't have so many tunnels that it hurts so I generally use
ikelifetime=9h
keylife=1h
- --
Tuomo Soini <tis at foobar.fi>
Linux and network services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iD8DBQFFOQ3JTlrZKzwul1ERAsv+AKCbOjNHTva0n88HldVEiDURQjn52QCeI7dC
E8ZcI37r6AdNc0NjAT8M5PU=
=Xqon
-----END PGP SIGNATURE-----
More information about the Users
mailing list