|
||||||||
Not to correct your math but, 86400 sec. / 60 sec. per min. / 60 min. per hr. = 24 hr. Copied from the docbook: http://www.m0n0.ch/wall/docbook/ipsec-tunnels.html Phase 1 Lifetime: This field is far more important then it appears. This lifetime, as apposed to the one in phase 2, is how long your end will wait for phase 1 to be completed. I suggest using 28800 in this field. Phase 2 Lifetime: This is the lifetime the negotiated keys will be valid for. Do not set this to too high of a number. E.g. more than about a day (86400) as doing so will give people more time to crack your key. Don't be over paranoid either; there is no need to set this to 20 minutes or something like that. Honestly, one day is probably good. The Phase 2 lifetime should not cause the VPN to expire. But the encryption (phase 2) has to be renegotiated - keys changed every 24 hours. The Phase 1 lifetime is more of a "timeout" setting. Does your DSL reset every 24 hr? I have read other posters stating that their lines reset every 24 hours - thus causing VPN woes. _________________________________ James W. McKeand -----Original Message----- From: Jorma Spaziano [mailto:jspaziano at mileshealthcare dot org] Sent: Friday, October 01, 2004 9:41 AM To: m0n0wall at lists dot m0n0 dot ch Subject: [m0n0wall] Lifetimes Hi List, I have a LAN <-> LAN connection over DSL with Mono on both sides. Is there a way to keep the IPSEC tunnel from expiring? Currently the lifetime is 86400 that works out to 23.5 hours. So dose that mean a new tunnel needs to be esatblished every 23.5 hours? -Jorma --------------------------------------------------------------------- To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch |