Hi all!

I would like to make some clarification on IPSec Phase 1 and 2 lifetime 
parameters.

NOTICE: I know this topic is not m0n0wall specific, but I think many of 
us could learn from your answers. Please apology!

So, could someone explain what are Phase 1 and Phase 2 lifetime exactly for?

What I believe:

[1] - P1 value is for the tunnel itself. It's similar to dial-on-demand 
idle timeout. The tunnel is closed if there is no network activity for a 
given time period. IPSec are not persistent, by design.

[2] - P2 value defines a sort of validity period for each newly created 
SA, in term of limited lifetime (the SA being used or not), for security 
reasons.

[3] - If P2 > P1, many SA are generated and exchanged during the same 
tunnel "session". On the other hand, if P1 > P2, remaining SA are kept 
for future use in another tunnel "session".

Please let me know where I'm right and where I'm wrong.

I've seen configurations where P1 > P2 and others with P2 > P1, 
depending on the hardware used. As far as I know, each vendor has a 
different approach of the topic, so it's very confusing and difficult to 
get a good idea of how things work...

Question: when in use, will a tunnel transparently renew its SA without 
having to disconnect and then reconnect? Will it delay the SA 
re-negotiation until there is no activity on the link. Or will it cache 
SA for further use?

As long as I use only m0n0wall for all my tunnels, I personnaly don't 
need vendor specific compatibility values. I just would like to minimize 
the tunnel expiration annoyance, from my users' point of view. What are 
the best values in this situation?

Thanks in advance for your answers. Have a nice day.

-- Vincent








































- What values will ensure there is not break during a tunnel "session"?

Thanks in advance for your contributions, advices