[strongSwan] IKEv1 phase 1 and 2 timeouts

STRANSKY Rainer - Contractor rainer.stransky at external.thalesgroup.com
Thu Dec 1 10:34:46 CET 2011 

Hi Andreas,

I found in the KAME project settings for their racoon ISAKMP daemon a Timer Specification section:
  Timer Specification
     timer { statements }
          This section specifies various timer values used by racoon.
          counter number;
              The maximum number of retries to send.  The default is 5.
          interval number timeunit;
              The interval to resend, in seconds.  The default time is
              10 seconds.
          persend number;
              The number of packets per send.  The default is 1.
==>       phase1 number timeunit;
              The maximum time it should take to complete phase 1.  The
              default time is 15 seconds.
==>       phase2 number timeunit;
              The maximum time it should take to complete phase 2.  The
              default time is 10 seconds.

The phase1 and phase2 timer seems to be complete preparation timer for all messages of the two IKE phases.
The default values are very near to the mention in the german "BSI IT-Grundgrundschutz-Kataloge" chapter M 5.149.
Are there similar values or fix default values in strongSwan ?

Regards

Rainer

> -----Ursprüngliche Nachricht-----
> Von: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
> Gesendet: Montag, 28. November 2011 22:24
> An: STRANSKY Rainer - Contractor
> Cc: users at lists.strongswan.org
> Betreff: Re: [strongSwan] IKEv1 phase 1 and 2 timeouts
> 
> Hi Rainer,
> 
> 15 seconds and 10 seconds are utterly masochistic! The daemon will
> be occupied with rekeying all the time! Our defaults are 3 hours
> for phase 1 and 1 hour for phase2 which is vary paranoid compared
> with commercial products which rather opt for 24h / 8h.
> 
> Regards
> 
> Andreas
> 
> On 11/28/2011 07:42 PM, STRANSKY Rainer - Contractor wrote:
> > The German "BSI Grundschutzhandbuch" requests that timeouts for the
> IKE
> > phase 1 and 2 shall not be too large.
> >
> > As an example 15 seconds for phase 1 and 10 seconds fore phase 2 are
> > mentioned.
> >
> > What is the reason for this ?
> >
> > What are the configuration options in strongSwan for these timeout
> values ?
> >
> > Regards
> >
> > Rainer
> 
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==

More information about the Users mailing list