[ previous ] [ next ] [ threads ]
 From:  Vincent Fleuranceau <vincent at bikost dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  IPSec - P1 and P2 lifetime values
 Date:  Mon, 26 Jul 2004 10:24:12 +0200
Hi all!

I would like to make some clarification on IPSec Phase 1 and 2 lifetime 

NOTICE: I know this topic is not m0n0wall specific, but I think many of 
us could learn from your answers. Please apology!

So, could someone explain what are Phase 1 and Phase 2 lifetime exactly for?

What I believe:

[1] - P1 value is for the tunnel itself. It's similar to dial-on-demand 
idle timeout. The tunnel is closed if there is no network activity for a 
given time period. IPSec are not persistent, by design.

[2] - P2 value defines a sort of validity period for each newly created 
SA, in term of limited lifetime (the SA being used or not), for security 

[3] - If P2 > P1, many SA are generated and exchanged during the same 
tunnel "session". On the other hand, if P1 > P2, remaining SA are kept 
for future use in another tunnel "session".

Please let me know where I'm right and where I'm wrong.

I've seen configurations where P1 > P2 and others with P2 > P1, 
depending on the hardware used. As far as I know, each vendor has a 
different approach of the topic, so it's very confusing and difficult to 
get a good idea of how things work...

Question: when in use, will a tunnel transparently renew its SA without 
having to disconnect and then reconnect? Will it delay the SA 
re-negotiation until there is no activity on the link. Or will it cache 
SA for further use?

As long as I use only m0n0wall for all my tunnels, I personnaly don't 
need vendor specific compatibility values. I just would like to minimize 
the tunnel expiration annoyance, from my users' point of view. What are 
the best values in this situation?

Thanks in advance for your answers. Have a nice day.

-- Vincent

- What values will ensure there is not break during a tunnel "session"?

Thanks in advance for your contributions, advices