[strongSwan] IKEv1 phase 1 and 2 timeouts

Andreas Steffen andreas.steffen at strongswan.org
Mon Nov 28 22:24:16 CET 2011


Hi Rainer,

15 seconds and 10 seconds are utterly masochistic! The daemon will
be occupied with rekeying all the time! Our defaults are 3 hours
for phase 1 and 1 hour for phase2 which is vary paranoid compared
with commercial products which rather opt for 24h / 8h.

Regards

Andreas

On 11/28/2011 07:42 PM, STRANSKY Rainer - Contractor wrote:
> The German "BSI Grundschutzhandbuch" requests that timeouts for the IKE
> phase 1 and 2 shall not be too large.
>
> As an example 15 seconds for phase 1 and 10 seconds fore phase 2 are
> mentioned.
>
> What is the reason for this ?
>
> What are the configuration options in strongSwan for these timeout values ?
>
> Regards
>
> Rainer

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list