[Openswan Users] ikelifetime < salifetime ?
Mark Himsley
mark at mdsh.com
Sun Aug 14 13:08:10 EDT 2011
One more simple question from me.
Is it correct to say that ikelifetime should be less than salifetime?
I think I caused myself a problem when I reduced salifetime to less than
ikelifetime on a virtually idle link.
When I made salifetime less than ikelifetime I was getting "IPsec SA
expired (LATEST!)" and the link was going into "prospective erouted",
which I think I've fixed by making ikelifetime < salifetime.
When the link was busy (I ran iperf flat out for 1000 minutes!) I didn't
get any "IPsec SA expired (LATEST!)" messages, presumably because I was
moving enough data for the keys to be updated fast enough.
I think I needed to set short lifetimes because it appears that the
VMWare server I'm running Openswan on forgets connections when they were
idle.
Reading the man page I see that the defaults are 1h and 8h for
ikelifetime & salifetime respectively, but I don't think I've read a
suggested relationship between them.
Any insight would be most welcome.
Thanks.
--
Mark
More information about the Users
mailing list