[Openswan Users] Key lifetimes (fwd)
Mike Horn
lists at caddisconsulting.com
Mon Oct 23 11:53:08 EDT 2006
Thanks, it appears that the max IKE lifetime is 24hrs based on the entry in
ietf_constants.h (thanks to Tuomo Soini for pointing this out). I would
suggest updating the ipsec.conf man page with this value as the current
entry defining a 8hr max lifetime could confuse other Openswan newbies like
it did me.
from include/ietf_constants.h
#define OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM 86400
-mike
-----Original Message-----
From: mcr at sandelman.ottawa.on.ca [mailto:mcr at sandelman.ottawa.on.ca] On
Behalf Of Michael Richardson
Sent: Monday, October 23, 2006 9:40 AM
To: Mike Horn
Cc: users at openswan.org
Subject: Re: [Openswan Users] Key lifetimes (fwd)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>>>>> "Mike" == Mike Horn <lists at caddisconsulting.com> writes:
Mike> Thanks for the explanation, in my experience when an IKE rekey
Mike> fails you usually also have a problem with IPsec SA's, but
Mike> since these lifetimes are configurable, users can configure
Mike> these with values that they think are appropriate.
Mike> One quick follow up question, you stated "BTW: there are no
Mike> "maximums", just recommendations." The man page for
Mike> ipsec.conf states that the max for IPsec SA lifetimes is 24
Mike> hours and the max IKE lifetime is 8 hours, are these values
Mike> incorrect?
Those are recommendations based upon good crypto-hygiene. There is nothing
that I recall that that prevents a longer number from being used.
- --
] Bear: "Me, I'm just the shape of a bear." | firewalls
[
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net
architect[
] mcr at xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device
driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security
guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Finger me for keys
iQEVAwUBRTziS4CLcPvd0N1lAQIoDgf/U8MRz2dRMA8CGV0U88Pm5dKz+hljgpej
P1U11lVpQ6iCeMTbs3lNeLb0gN97yqYtY0mXMMrbe/l7Evs87CdObSi2qyEdj7BG
xe2IOWRKsuqMuar6VU47PjD65l/r/TMbu50KDyORXyFEX4G/BR0uYyPhZh77QQAN
ePyNkGQXXjY/knHSxpkmDQgJ58pv3zSksJ9A1TFSHEeyYt8knEdMvtK8GU745mPJ
KANwDCeWBdgOkLu79RVDW85rkVClgVa0TStQ0i3T+LLyBEfHoytIuFgKuxjjOL+L
hkudn657ylhfbtRa7+hEhQP/qoUlY31ysTj1sXMB+6qJlEL7jGB9aw==
=FG+Q
-----END PGP SIGNATURE-----
More information about the Users
mailing list