[strongSwan] IKEv1 phase 1 and 2 timeouts

Andreas Steffen andreas.steffen at strongswan.org
Thu Dec 1 10:41:35 CET 2011


Hello Rainer,

here is a link to our IKEv2 retransmission HOWTO:

http://wiki.strongswan.org/projects/strongswan/wiki/Retransmission

The IKEv1 timeouts are similar (5 retransmissions spread over about
2-3 minutes) but not configurable.

Regards

Andreas

On 01.12.2011 10:34, STRANSKY Rainer - Contractor wrote:
> 
> Hi Andreas,
> 
> I found in the KAME project settings for their racoon ISAKMP daemon a Timer Specification section:
>   Timer Specification
>      timer { statements }
>           This section specifies various timer values used by racoon.
>           counter number;
>               The maximum number of retries to send.  The default is 5.
>           interval number timeunit;
>               The interval to resend, in seconds.  The default time is
>               10 seconds.
>           persend number;
>               The number of packets per send.  The default is 1.
> ==>       phase1 number timeunit;
>               The maximum time it should take to complete phase 1.  The
>               default time is 15 seconds.
> ==>       phase2 number timeunit;
>               The maximum time it should take to complete phase 2.  The
>               default time is 10 seconds.
> 
> The phase1 and phase2 timer seems to be complete preparation timer for all messages of the two IKE phases.
> The default values are very near to the mention in the german "BSI IT-Grundgrundschutz-Kataloge" chapter M 5.149.
> Are there similar values or fix default values in strongSwan ?
> 
> Regards
> 
> Rainer
> 
>> -----Ursprüngliche Nachricht-----
>> Von: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
>> Gesendet: Montag, 28. November 2011 22:24
>> An: STRANSKY Rainer - Contractor
>> Cc: users at lists.strongswan.org
>> Betreff: Re: [strongSwan] IKEv1 phase 1 and 2 timeouts
>>
>> Hi Rainer,
>>
>> 15 seconds and 10 seconds are utterly masochistic! The daemon will
>> be occupied with rekeying all the time! Our defaults are 3 hours
>> for phase 1 and 1 hour for phase2 which is vary paranoid compared
>> with commercial products which rather opt for 24h / 8h.
>>
>> Regards
>>
>> Andreas
>>
>> On 11/28/2011 07:42 PM, STRANSKY Rainer - Contractor wrote:
>>> The German "BSI Grundschutzhandbuch" requests that timeouts for the
>> IKE
>>> phase 1 and 2 shall not be too large.
>>>
>>> As an example 15 seconds for phase 1 and 10 seconds fore phase 2 are
>>> mentioned.
>>>
>>> What is the reason for this ?
>>>
>>> What are the configuration options in strongSwan for these timeout
>> values ?
>>>
>>> Regards
>>>
>>> Rainer

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4489 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20111201/cdc5051f/attachment.bin>


More information about the Users mailing list