[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: isakmpd.conf question

To: newsham@lava.net (Tim Newsham)
Subject: Re: isakmpd.conf question
From: "Angelos D. Keromytis" <angelos@keromytis.org>
Date: Thu, 04 Jan 2001 17:33:15 -0500
Cc: tech@openbsd.org

In message <m14EI1L-000p7OC@malasada.lava.net>, Tim Newsham writes:
>
>If I change the Default-phase-2-lifetime in [General]
>will it adjust the time between rekeying of active
>vpn sessions?  

Default-phase-1-lifetime and Default-phase-2-lifetime is currently only used
for all the pre-loaded Phase 1 and Phase 2 configurations (respectively). If
you specify your own Phase 2 configuration, whatever you specify (or not) 
there,
will take precedence.

>How do two peers agree on the rekeying time?  Do they
>tell eachother their lifetimes and then pick the common
>minimum in the min-max range?  Or do they just verify
>the min-max and then initiate a rekey when their default
>value is reached?

The initiator always proposed a value (based on their configuration), and
the responder agrees or not. There's no negotiation per se.

>I have a connection between two peers, and it is rekeying
>every 45minutes.  (One side has a conf setup for 8hour
>lifetime and the BSD side has the defaults).  I want to
>increase this rekeying time.  (Also, why is it 45
>minutes?  Does it rekey early to give it some leeway,
>and if so, how early?)

Rekeys occur when the soft lifetime of an SA is reached, which is set to some
random value around 90% of the hard lifetime (what's actually negotiated). This
is precisely so that there's a graceful fallover.

45 minutes is kinda weird though; who initiates the exchange ?
-Angelos

References:
- isakmpd.conf question
  - From: newsham@lava.net (Tim Newsham)

Prev by Date: isakmpd.conf question
Next by Date: No Subject
Prev by thread: isakmpd.conf question
Next by thread: Re: isakmpd.conf question
Index(es):
- Date
- Thread