On 30.10.2006 11:04 Robert Rich wrote:
> I actually don't have a setting for the phase 1 lifetime, i don't know
> what that means. Phase 2 lifetime is literally one year.
Just look in "Phase 1 proposal (Authentication)" section between DH key
group and Authentication method, there is the lifetime setting for Phase
1 which must be the same on both ends.
> With settings like yours, do you notice it renegotiating the tunnel?
> We're doing VoIP through these and i'm afraid of dropouts while that
> is taking place.
Of course. It also depends on the clients. E.g. if these are using
dialup (DSL) and get a new IP once in a while the tunnel information
must be rebuild.
So when setting any lifetime to a specified value it does not
mean that the IPSec gateway will store that information for that long!
What takes the most time when creating IPSec tunnel information is the
Phase 1 negotiation because of the key exchange algorithm but this also
depends on the used hardware.
I suggest you first check your lifetime settings.