[Openswan Users] ikelifetime < salifetime ?

Paul Wouters paul at xelerance.com
Mon Aug 15 09:49:12 EDT 2011

On Sun, 14 Aug 2011, Mark Himsley wrote:

> Is it correct to say that ikelifetime should be less than salifetime?

There is disagreement on that. The two are pretty independant, so you
can pick either. I believe the RFC has IKE SA 8h and IPsec SA 1h. Openswan
has it the other way around.

> I think I caused myself a problem when I reduced salifetime to less than
> ikelifetime on a virtually idle link.

That should not matter.

> When I made salifetime less than ikelifetime I was getting "IPsec SA
> expired (LATEST!)" and the link was going into "prospective erouted",
> which I think I've fixed by making ikelifetime < salifetime.

Hmm, it should still rekey the phase2...

> I think I needed to set short lifetimes because it appears that the
> VMWare server I'm running Openswan on forgets connections when they were
> idle.

That just might require NAT-T keepalives, even if there is no NAT. You
can try adding forceencapes=yes


More information about the Users mailing list