[Openswan Users] recommended Phase 1 and Phase 2 keylife values
petermcgill at goco.net
Mon Mar 3 11:03:40 EST 2008
The defaults are fine. They come from the IPSec rfc's, which suggest.
Phase 1 - 1 hour, Phase 2 - 8 Hours or Phase 1 - 8 hours, Phase 2 - 1 hour.
I recommend you leave the ikelifetime and keylife values alone, unless you
need to change them. For example, some interrop's require them to be changed
to match the remote system.
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of hiren joshi
Sent: March 3, 2008 10:54 AM
To: users at openswan.org
Subject: [Openswan Users] recommended Phase 1 and Phase 2 keylife values
In a normal ipsec connection, what should be the values of ikelifetime (phase-1) and keylife (phase-2).
Particularly whether ikelifetime > keylife, or ikelifetime < keylife ?
As per `man ipsec.conf`, default values for Phase -1 keylife is 1 hour and Phase -2 keylife is 8 Hours.
Are they represent the recommended one?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users