[Openswan Users] ikelifetime < salifetime ?

Mark Himsley mark at mdsh.com
Sun Aug 14 13:08:10 EDT 2011

One more simple question from me.

Is it correct to say that ikelifetime should be less than salifetime?

I think I caused myself a problem when I reduced salifetime to less than 
ikelifetime on a virtually idle link.

When I made salifetime less than ikelifetime I was getting "IPsec SA 
expired (LATEST!)" and the link was going into "prospective erouted", 
which I think I've fixed by making ikelifetime < salifetime.

When the link was busy (I ran iperf flat out for 1000 minutes!) I didn't 
get any "IPsec SA expired (LATEST!)" messages, presumably because I was 
moving enough data for the keys to be updated fast enough.

I think I needed to set short lifetimes because it appears that the 
VMWare server I'm running Openswan on forgets connections when they were 

Reading the man page I see that the defaults are 1h and 8h for 
ikelifetime & salifetime respectively, but I don't think I've read a 
suggested relationship between them.

Any insight would be most welcome.



More information about the Users mailing list