This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IKE and IPsec SA lifetime Values

According to the help file within the Sophos UTM 220, acceptable values for SA Lifetime are:

IKE
Valid values are between 60 sec and 28800 sec (8 hrs). The default value is 7800 seconds

IPSec
Valid values are between 60 sec and 86400 sec (1 day). The default value is 3600 seconds.

From everything I gathered, the Lifetime for IKE ( Phase 1 ) should ALWAYS be greater than the Lifetime for IPSec.

If that is true, Why does the help file indicate IPSec has a vlaid range to 86400 and IKE a valid range to only 28800 ?

Is it simply the help file is BACKWARDS ?

Other products indicate a preferred value of IKE (Phase1) Lifetime of 86400.

On most of my VPN connections ( more than 100 ) I am using a value of 28800 for Phase1 (IKE) and 86400 for Phase2 ( IPSec).

Apparently I have been doing this wrong.

Phase2 should be less that Phase1 ; so I should flip the values and disregard the help file.

Is Phase1(IKE) of 86400 and Phase2(IPSec) 28800 an ok setting ?
The default of 7800 and 3600 seem to short too me.

Thanks

This thread was automatically locked due to age.

Parents

0 BAlfson over 8 years ago

You can see the value stored for "AES-128 PFS" with cc get_object_by_name ipsec policy 'AES-128 PFS'. If that says 86400, you will need to check the log. Search for ike to see if rekeying happens 3-to-4 times in a day, or just once. Please report your result here.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 8 years ago

You can see the value stored for "AES-128 PFS" with cc get_object_by_name ipsec policy 'AES-128 PFS'. If that says 86400, you will need to check the log. Search for ike to see if rekeying happens 3-to-4 times in a day, or just once. Please report your result here.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 DaveG over 8 years ago in reply to BAlfson

The cc get_object command for the policy I am using reflects the settings I made in the GUI.

'autoname' => 0,
          'class' => 'ipsec',
                      'ike_auth_alg' => 'sha1',
                      'ike_dh_group' => 'modp1024',
                      'ike_enc_alg' => 'aes256',
                      'ike_sa_lifetime' => 28800,
                      'ipsec_auth_alg' => 'sha1',
                      'ipsec_compression' => 0,
                      'ipsec_enc_alg' => 'aes256',
                      'ipsec_pfs_group' => 'null',
                      'ipsec_sa_lifetime' => 86400,
                      'ipsec_strict_policy' => 0,
                                          },
          'hidden' => 0,
          'lock' => '',
          'nodel' => '',
                   'type' => 'policy'

You see that I have IKE = 28800 and ipsec = 86400.
( in my opinion should be IKE = 86400 and ipsec = 3600 )

I cannot search for IKE in the logs as I have thousands of entry's due to a customer changing equipment on their end of one of the tunnels and is not matching my end somehow.

Mostly just "ignoring informational payload, type NO_PROPOSAL_CHOSEN"
and
starting keying attempt 5108 of an unlimited number
#547701: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #547645 {using isakmp#526754}

I think I answered my only question - when trying to enter a very large number for SA Lifetime, I get this message for BOTH IKE and IPSec:

The IPsec policy object requires a number in the range 60-86400 for the IKE SA lifetime attribute

So the Help file is just incorrect.

Best setting for most cases is: IKE = 86400 and ipsec = 3600

Now on to figure out WHY one customer is flooding my VPN logs.

Dave
Cancel
Vote Up 0 Vote Down

Cancel