On Mon, 27 Sep 2004 14:20:07 -0700 (PDT), Fred Wright <fw at well dot com> wrote:
> There's a subtle issue with "prefer newer" when non-time lifetimes are in
> use. Although m0n0wall doesn't currently support that, there's nothing to
> stop the peer from imposing limits based on byte or packet counts. With
> multiple usable SAs, the preference order affects which SA gets "charged"
> for the traffic. But if rekeying is triggered by reaching a soft limit,
> then I wouldn't expect "prefer newer" to actually lose connectivity; it
> would just increase the frequency of rekeying.
For what it's worth, the PIX uses 50,000 KB as a byte limit if you
don't specify one (I didn't). It's been setup this way from day one,
and hasn't caused an issue that I'm aware of. I know I've transferred
more than 50,000 KB in less than the timeout period dozens if not
hundreds of times over the last several months. So that doesn't seem
to be a problem (now or before).