On 20.12.2006 12:29 Jai Ketteridge wrote:
> According to http://doc.m0n0.ch/handbook/ipsec-tunnels.html it says that it
> recommends using 28880 for phase 1?
> Phase 1:
> Lifetime: This field is far more important then it appears. This lifetime,
> as opposed to the one in phase 2, is how long your end will wait for phase 1
> to be completed. I suggest using 28800 in this field.
I think that information is wrong. The lifetime for phase 1 specifies
the time Security Associations will last. It is no timeout!
When the specified phase 1 lifetime is over the IKE daemon starts a new
key exchange based on the certificate or pre shared key. The transmitted
keys are used to encrypt a second key exchange for the encryption of the
data (ESP, phase 2). The SA information is then used to generate new
keys for the ESP data flow based on the phase 2 lifetime.
See <http://www.freebsd.org/cgi/man.cgi?query=setkey&sektion=8> for some
If phase 2 lifetime is higher than phase 1 the channels for key exchange
can get somehow out of sync and the tunnel starts failing after some time.
Note: phase 1 exchange (in main mode) takes the most cpu time when a
tunnel is established because it is based on Diffie-Hellman algorithm.