[Openswan Users] ikelifetime < salifetime ?
Paul Wouters
paul at xelerance.com
Mon Aug 15 10:36:50 EDT 2011
On Mon, 15 Aug 2011, Mark Himsley wrote:
>>> Is it correct to say that ikelifetime should be less than salifetime?
>>
>> There is disagreement on that. The two are pretty independant, so you
>> can pick either. I believe the RFC has IKE SA 8h and IPsec SA 1h. Openswan
>> has it the other way around.
>
> You say "you can pick either". What if I've picked both?
If you pick them to expire around the same time, then you might have a problem
that you SA vanished while your ISAKMP is rekeying, and you end up with a possible
few seconds of downtime.
Paul
More information about the Users
mailing list