[Openswan Users] Key lifetimes (fwd)

Mike Horn lists at caddisconsulting.com
Mon Oct 23 11:53:08 EDT 2006


Thanks, it appears that the max IKE lifetime is 24hrs based on the entry in
ietf_constants.h (thanks to Tuomo Soini for pointing this out).  I would
suggest updating the ipsec.conf man page with this value as the current
entry defining a 8hr max lifetime could confuse other Openswan newbies like
it did me.

from include/ietf_constants.h

#define OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM 86400

-mike 

-----Original Message-----
From: mcr at sandelman.ottawa.on.ca [mailto:mcr at sandelman.ottawa.on.ca] On
Behalf Of Michael Richardson
Sent: Monday, October 23, 2006 9:40 AM
To: Mike Horn
Cc: users at openswan.org
Subject: Re: [Openswan Users] Key lifetimes (fwd) 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>>>>> "Mike" == Mike Horn <lists at caddisconsulting.com> writes:
    Mike> Thanks for the explanation, in my experience when an IKE rekey
    Mike> fails you usually also have a problem with IPsec SA's, but
    Mike> since these lifetimes are configurable, users can configure
    Mike> these with values that they think are appropriate.

    Mike> One quick follow up question, you stated "BTW: there are no
    Mike> "maximums", just recommendations."  The man page for
    Mike> ipsec.conf states that the max for IPsec SA lifetimes is 24
    Mike> hours and the max IKE lifetime is 8 hours, are these values
    Mike> incorrect?

  Those are recommendations based upon good crypto-hygiene. There is nothing
that I recall that that prevents a longer number from being used.

- -- 
]            Bear: "Me, I'm just the shape of a bear."          |  firewalls
[
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net
architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device
driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security
guy"); [


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Finger me for keys

iQEVAwUBRTziS4CLcPvd0N1lAQIoDgf/U8MRz2dRMA8CGV0U88Pm5dKz+hljgpej
P1U11lVpQ6iCeMTbs3lNeLb0gN97yqYtY0mXMMrbe/l7Evs87CdObSi2qyEdj7BG
xe2IOWRKsuqMuar6VU47PjD65l/r/TMbu50KDyORXyFEX4G/BR0uYyPhZh77QQAN
ePyNkGQXXjY/knHSxpkmDQgJ58pv3zSksJ9A1TFSHEeyYt8knEdMvtK8GU745mPJ
KANwDCeWBdgOkLu79RVDW85rkVClgVa0TStQ0i3T+LLyBEfHoytIuFgKuxjjOL+L
hkudn657ylhfbtRa7+hEhQP/qoUlY31ysTj1sXMB+6qJlEL7jGB9aw==
=FG+Q
-----END PGP SIGNATURE-----





More information about the Users mailing list