[Openswan Users] ikelifetime < salifetime ?
Mark Himsley
mark at mdsh.com
Mon Aug 15 10:46:23 EDT 2011
On 15/08/11 15:36, Paul Wouters wrote:
> On Mon, 15 Aug 2011, Mark Himsley wrote:
>
>>>> Is it correct to say that ikelifetime should be less than salifetime?
>>>
>>> There is disagreement on that. The two are pretty independant, so you
>>> can pick either. I believe the RFC has IKE SA 8h and IPsec SA 1h.
>>> Openswan
>>> has it the other way around.
>>
>> You say "you can pick either". What if I've picked both?
>
> If you pick them to expire around the same time, then you might have a
> problem
> that you SA vanished while your ISAKMP is rekeying, and you end up with
> a possible
> few seconds of downtime.
I don't think I've every made them the same, but still had hours of
downtime.
Maybe I should pick nice prime numbers for them both so that they are
very unlikely to happen at the same time, like 7 and 13 minutes for my
short duration keys ;-)
Seriously, thanks again for your input, it gives me more ideas for
things to look at.
--
Mark
More information about the Users
mailing list