RE : vpn -- SA lifetime

From: Richard Dumoulin (Richard.Dumoulin@vanco.fr)
Date: Sun Nov 12 2006 - 10:56:29 ART

• Next message: Richard Dumoulin: "RE : RE : Command to view services running on a Router"
• Previous message: Alexey Tolstenok: "Re: Tricky Forward-delay time"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Phase 2 sa lifetimes need to be equal I believe at oth sides.
However Phase 1 sa lifetime of the initiator needs to be smaller than the one of the server.

-- Richard

-----Message d'origine-----
De : nobody@groupstudy.com [mailto:nobody@groupstudy.com] De la part de Tim
Envoyi : Sunday, November 12, 2006 1:57 PM
@ : security@groupstudy.com; ccielab@groupstudy.com
Objet : vpn -- SA lifetime

Hi guys,

Lifetimes, for both the mgmt SA (ISAKMP) and the data SA's (IPSec), can be
configured independently.

That being the case, does it matter what the values are relative to one
another?

IOW, should the lifetime for the mgmt SA be equal to, smaller than or larger
than the data lifetime?

Is there a "Best Practice" when it comes to selecting these values?

I know the lifetime parameter can be left at its default value but I'd like
to know if one value is changed, should the other value also be changed and
how to think about this issue.

Thanks very much for any feedback on this.

Tim

• Next message: Richard Dumoulin: "RE : RE : Command to view services running on a Router"
• Previous message: Alexey Tolstenok: "Re: Tricky Forward-delay time"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:46 ART