[Openswan Users] recommended Phase 1 and Phase 2 keylife values

Peter McGill petermcgill at goco.net
Mon Mar 3 11:03:40 EST 2008

The defaults are fine. They come from the IPSec rfc's, which suggest.
Phase 1 - 1 hour, Phase 2 - 8 Hours or Phase 1 - 8 hours, Phase 2 - 1 hour.
I recommend you leave the ikelifetime and keylife values alone, unless you
need to change them. For example, some interrop's require them to be changed
to match the remote system.
Peter McGill


From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of hiren joshi
Sent: March 3, 2008 10:54 AM
To: users at openswan.org
Subject: [Openswan Users] recommended Phase 1 and Phase 2 keylife values

Hello all,

In a normal ipsec connection, what should be the values of ikelifetime (phase-1) and keylife (phase-2).
Particularly whether ikelifetime > keylife, or ikelifetime < keylife ?

As per `man ipsec.conf`, default values for Phase -1 keylife is 1 hour and Phase -2 keylife is 8 Hours.
Are they represent the recommended one?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080303/ca85b93c/attachment.html 

More information about the Users mailing list