Re: [m0n0wall] m0n0 <-> m0n0 IPSec VPN stability

From:	Bjoern Euler <lists at edain dot de>
To:	m0n0wall at lists dot m0n0 dot ch
Cc:	Robert Rich <rrich at gstisecurity dot com>
Subject:	Re: [m0n0wall] m0n0 <-> m0n0 IPSec VPN stability
Date:	Mon, 30 Oct 2006 19:44:55 +0100

On 30.10.2006 11:04 Robert Rich wrote:
> I actually don't have a setting for the phase 1 lifetime, i don't know 
> what that means.  Phase 2 lifetime is literally one year.
Just look in "Phase 1 proposal (Authentication)" section between DH key 
group and Authentication method, there is the lifetime setting for Phase 
1 which must be the same on both ends.

> With settings like yours, do you notice it renegotiating the tunnel?  
> We're doing VoIP through these  and i'm afraid of dropouts while that 
> is taking place.
Of course. It also depends on the clients. E.g. if these are using 
dialup (DSL) and get a new IP once in a while the tunnel information 
must be rebuild.
So when setting any lifetime to a specified value it does not 
<http://dict.leo.org/ende?lp=ende&p=/gQPU.&search=necessarily>necessarily 
mean that the IPSec gateway will store that information for that long!
What takes the most time when creating IPSec tunnel information is the 
Phase 1 negotiation because of the key exchange algorithm but this also 
depends on the used hardware.

I suggest you first check your lifetime settings.

Regards
-Bjoern