Hi Rainer, 15 seconds and 10 seconds are utterly masochistic! The daemon will be occupied with rekeying all the time! Our defaults are 3 hours for phase 1 and 1 hour for phase2 which is vary paranoid compared with commercial products which rather opt for 24h / 8h.
Regards Andreas On 11/28/2011 07:42 PM, STRANSKY Rainer - Contractor wrote: > The German "BSI Grundschutzhandbuch" requests that timeouts for the IKE > phase 1 and 2 shall not be too large. > > As an example 15 seconds for phase 1 and 10 seconds fore phase 2 are > mentioned. > > What is the reason for this ? > > What are the configuration options in strongSwan for these timeout values ? > > Regards > > Rainer ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
