[Openswan Users] ikelifetime < salifetime ?
Paul Wouters
paul at xelerance.com
Mon Aug 15 09:49:12 EDT 2011
On Sun, 14 Aug 2011, Mark Himsley wrote:
> Is it correct to say that ikelifetime should be less than salifetime?
There is disagreement on that. The two are pretty independant, so you
can pick either. I believe the RFC has IKE SA 8h and IPsec SA 1h. Openswan
has it the other way around.
> I think I caused myself a problem when I reduced salifetime to less than
> ikelifetime on a virtually idle link.
That should not matter.
> When I made salifetime less than ikelifetime I was getting "IPsec SA
> expired (LATEST!)" and the link was going into "prospective erouted",
> which I think I've fixed by making ikelifetime < salifetime.
Hmm, it should still rekey the phase2...
> I think I needed to set short lifetimes because it appears that the
> VMWare server I'm running Openswan on forgets connections when they were
> idle.
That just might require NAT-T keepalives, even if there is no NAT. You
can try adding forceencapes=yes
Paul
More information about the Users
mailing list