[ previous ] [ next ] [ threads ]
 
 From:  Bjoern Euler <lists at edain dot de>
 To:  m0n0wall at lists dot m0n0 dot ch
 Cc:  Robert Rich <rrich at gstisecurity dot com>
 Subject:  Re: [m0n0wall] m0n0 <-> m0n0 IPSec VPN stability
 Date:  Mon, 30 Oct 2006 19:44:55 +0100
On 30.10.2006 11:04 Robert Rich wrote:
> I actually don't have a setting for the phase 1 lifetime, i don't know 
> what that means.  Phase 2 lifetime is literally one year.
Just look in "Phase 1 proposal (Authentication)" section between DH key 
group and Authentication method, there is the lifetime setting for Phase 
1 which must be the same on both ends.

> With settings like yours, do you notice it renegotiating the tunnel?  
> We're doing VoIP through these  and i'm afraid of dropouts while that 
> is taking place.
Of course. It also depends on the clients. E.g. if these are using 
dialup (DSL) and get a new IP once in a while the tunnel information 
must be rebuild.
So when setting any lifetime to a specified value it does not 
<http://dict.leo.org/ende?lp=ende&p=/gQPU.&search=necessarily>necessarily 
mean that the IPSec gateway will store that information for that long!
What takes the most time when creating IPSec tunnel information is the 
Phase 1 negotiation because of the key exchange algorithm but this also 
depends on the used hardware.

I suggest you first check your lifetime settings.

Regards
-Bjoern