[ previous ] [ next ] [ threads ]
 From:  "James W. McKeand" <james at mckeand dot biz>
 To:  "'Jorma Spaziano'" <jspaziano at mileshealthcare dot org>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Lifetimes
 Date:  Fri, 1 Oct 2004 10:36:22 -0400
Not to correct your math but, 86400 sec. / 60 sec. per min. / 60 min. per
hr.  = 24 hr. 

Copied from the docbook: http://www.m0n0.ch/wall/docbook/ipsec-tunnels.html

Phase 1 
Lifetime: This field is far more important then it appears. This lifetime,
as apposed to the one in phase 2, is how long your end will wait for phase 1
to be completed. I suggest using 28800 in this field.

Phase 2
Lifetime: This is the lifetime the negotiated keys will be valid for. Do not
set this to too high of a number. E.g. more than about a day (86400) as
doing so will give people more time to crack your key. Don't be over
paranoid either; there is no need to set this to 20 minutes or something
like that. Honestly, one day is probably good.

The Phase 2 lifetime should not cause the VPN to expire. But the encryption
(phase 2) has to be renegotiated - keys changed every 24 hours. The Phase 1
lifetime is more of a "timeout" setting. Does your DSL reset every 24 hr? I
have read other posters stating that their lines reset every 24 hours - thus
causing VPN woes.

James W. McKeand

-----Original Message-----
From: Jorma Spaziano [mailto:jspaziano at mileshealthcare dot org] 
Sent: Friday, October 01, 2004 9:41 AM
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] Lifetimes

Hi List,
	I have a LAN <-> LAN connection over DSL with Mono on both sides. Is
there a way to keep the IPSEC tunnel from expiring? Currently the lifetime
is 86400 that works out to 23.5 hours. So dose that mean a new tunnel needs
to be esatblished every 23.5 hours?

To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch