[Openswan Users] ikelifetime < salifetime ?

Mark Himsley mark at mdsh.com
Mon Aug 15 10:46:23 EDT 2011

On 15/08/11 15:36, Paul Wouters wrote:
> On Mon, 15 Aug 2011, Mark Himsley wrote:
>>>> Is it correct to say that ikelifetime should be less than salifetime?
>>> There is disagreement on that. The two are pretty independant, so you
>>> can pick either. I believe the RFC has IKE SA 8h and IPsec SA 1h.
>>> Openswan
>>> has it the other way around.
>> You say "you can pick either". What if I've picked both?
> If you pick them to expire around the same time, then you might have a
> problem
> that you SA vanished while your ISAKMP is rekeying, and you end up with
> a possible
> few seconds of downtime.

I don't think I've every made them the same, but still had hours of 

Maybe I should pick nice prime numbers for them both so that they are 
very unlikely to happen at the same time, like 7 and 13 minutes for my 
short duration keys ;-)

Seriously, thanks again for your input, it gives me more ideas for 
things to look at.


More information about the Users mailing list