[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall-dev] 1.2b1 IPsec SA issues
 Date:  Mon, 27 Sep 2004 20:56:49 -0400
On Mon, 27 Sep 2004 14:20:07 -0700 (PDT), Fred Wright <fw at well dot com> wrote:
> There's a subtle issue with "prefer newer" when non-time lifetimes are in
> use.  Although m0n0wall doesn't currently support that, there's nothing to
> stop the peer from imposing limits based on byte or packet counts.  With
> multiple usable SAs, the preference order affects which SA gets "charged"
> for the traffic.  But if rekeying is triggered by reaching a soft limit,
> then I wouldn't expect "prefer newer" to actually lose connectivity; it
> would just increase the frequency of rekeying.

For what it's worth, the PIX uses 50,000 KB as a byte limit if you
don't specify one (I didn't).  It's been setup this way from day one,
and hasn't caused an issue that I'm aware of.  I know I've transferred
more than 50,000 KB in less than the timeout period dozens if not
hundreds of times over the last several months.  So that doesn't seem
to be a problem (now or before).