[Openswan Users] recommended Phase 1 and Phase 2 keylife values
Peter McGill
petermcgill at goco.net
Mon Mar 3 11:03:40 EST 2008
The defaults are fine. They come from the IPSec rfc's, which suggest.
Phase 1 - 1 hour, Phase 2 - 8 Hours or Phase 1 - 8 hours, Phase 2 - 1 hour.
I recommend you leave the ikelifetime and keylife values alone, unless you
need to change them. For example, some interrop's require them to be changed
to match the remote system.
Peter McGill
_____
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of hiren joshi
Sent: March 3, 2008 10:54 AM
To: users at openswan.org
Subject: [Openswan Users] recommended Phase 1 and Phase 2 keylife values
Hello all,
In a normal ipsec connection, what should be the values of ikelifetime (phase-1) and keylife (phase-2).
Particularly whether ikelifetime > keylife, or ikelifetime < keylife ?
As per `man ipsec.conf`, default values for Phase -1 keylife is 1 hour and Phase -2 keylife is 8 Hours.
Are they represent the recommended one?
Regards,
-hiren
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080303/ca85b93c/attachment.html
More information about the Users
mailing list