[ previous ] [ next ] [ threads ]
 From:  Dinesh Nair <dinesh at alphaque dot com>
 To:  John Auld <jxa at minervaplc dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] IPSec VPN Problem on Monowall 1.0
 Date:  Tue, 3 Aug 2004 18:24:16 +0800 (MYT)
On Tue, 3 Aug 2004, John Auld wrote:

> When I reported the problem with racoon causing problems, by not
> cleaning up stale SAD's and SPD's, I had set the timeout on the phase 1
> and 2 IPSec options to 5 minutes.

generally, phase I lifetimes should be one of the following: 21600 (6
hours), 43200 (12 hours) or 86400 (24 hours). phase II lifetimes can be
1800 (30 mins), 3600 (60 mins) or 7200 (2 hours).

you could obviously use different values than what i've suggested above,
but these are the ones which have been generally recommended to provide
good privacy and at the same time not tax your infrastructure too much.

generally, the phase II lifetimes should be much, much smaller than your
phase I lifetimes. and as usual, the same lifetime settings need to be
used on both sides of the ipsec tunnel.

Regards,                           /\_/\   "All dogs go to heaven."
dinesh at alphaque dot com                (0 0)    http://www.alphaque.com/
| for a in past present future; do                                        |
|   for b in clients employers associates relatives neighbours pets; do   |
|   echo "The opinions here in no way reflect the opinions of my $a $b."  |
| done; done                                                              |