[Openswan Users] ikelifetime < salifetime ?

Paul Wouters paul at xelerance.com
Mon Aug 15 10:36:50 EDT 2011


On Mon, 15 Aug 2011, Mark Himsley wrote:

>>> Is it correct to say that ikelifetime should be less than salifetime?
>>
>> There is disagreement on that. The two are pretty independant, so you
>> can pick either. I believe the RFC has IKE SA 8h and IPsec SA 1h. Openswan
>> has it the other way around.
>
> You say "you can pick either". What if I've picked both?

If you pick them to expire around the same time, then you might have a problem
that you SA vanished while your ISAKMP is rekeying, and you end up with a possible
few seconds of downtime.

Paul


More information about the Users mailing list