I would like to make some clarification on IPSec Phase 1 and 2 lifetime
NOTICE: I know this topic is not m0n0wall specific, but I think many of
us could learn from your answers. Please apology!
So, could someone explain what are Phase 1 and Phase 2 lifetime exactly for?
What I believe:
 - P1 value is for the tunnel itself. It's similar to dial-on-demand
idle timeout. The tunnel is closed if there is no network activity for a
given time period. IPSec are not persistent, by design.
 - P2 value defines a sort of validity period for each newly created
SA, in term of limited lifetime (the SA being used or not), for security
 - If P2 > P1, many SA are generated and exchanged during the same
tunnel "session". On the other hand, if P1 > P2, remaining SA are kept
for future use in another tunnel "session".
Please let me know where I'm right and where I'm wrong.
I've seen configurations where P1 > P2 and others with P2 > P1,
depending on the hardware used. As far as I know, each vendor has a
different approach of the topic, so it's very confusing and difficult to
get a good idea of how things work...
Question: when in use, will a tunnel transparently renew its SA without
having to disconnect and then reconnect? Will it delay the SA
re-negotiation until there is no activity on the link. Or will it cache
SA for further use?
As long as I use only m0n0wall for all my tunnels, I personnaly don't
need vendor specific compatibility values. I just would like to minimize
the tunnel expiration annoyance, from my users' point of view. What are
the best values in this situation?
Thanks in advance for your answers. Have a nice day.
- What values will ensure there is not break during a tunnel "session"?
Thanks in advance for your contributions, advices