[ previous ] [ next ] [ threads ]
 From:  Bjoern Euler <lists at edain dot de>
 To:  m0n0wall at lists dot m0n0 dot ch
 Cc:  jai at innaloo dot net
 Subject:  Re: [m0n0wall] Random lack of Dataflow over IPSEC VPN
 Date:  Wed, 20 Dec 2006 13:04:02 +0100
On 20.12.2006 12:29 Jai Ketteridge wrote:
> According to http://doc.m0n0.ch/handbook/ipsec-tunnels.html it says that it
> recommends using 28880 for phase 1?
> Phase 1:
> Lifetime: This field is far more important then it appears. This lifetime,
> as opposed to the one in phase 2, is how long your end will wait for phase 1
> to be completed. I suggest using 28800 in this field.

I think that information is wrong. The lifetime for phase 1 specifies 
the time Security Associations will last. It is no timeout!

When the specified phase 1 lifetime is over the IKE daemon starts a new 
key exchange based on the certificate or pre shared key. The transmitted 
keys are used to encrypt a second key exchange for the encryption of the 
data (ESP, phase 2). The SA information is then used to generate new 
keys for the ESP data flow based on the phase 2 lifetime.

See <http://www.freebsd.org/cgi/man.cgi?query=setkey&sektion=8> for some 
basic information.

If phase 2 lifetime is higher than phase 1 the channels for key exchange 
can get somehow out of sync and the tunnel starts failing after some time.

Note: phase 1 exchange (in main mode) takes the most cpu time when a 
tunnel is established because it is based on Diffie-Hellman algorithm.