Hello Rainer, here is a link to our IKEv2 retransmission HOWTO:
http://wiki.strongswan.org/projects/strongswan/wiki/Retransmission The IKEv1 timeouts are similar (5 retransmissions spread over about 2-3 minutes) but not configurable. Regards Andreas On 01.12.2011 10:34, STRANSKY Rainer - Contractor wrote: > > Hi Andreas, > > I found in the KAME project settings for their racoon ISAKMP daemon a Timer > Specification section: > Timer Specification > timer { statements } > This section specifies various timer values used by racoon. > counter number; > The maximum number of retries to send. The default is 5. > interval number timeunit; > The interval to resend, in seconds. The default time is > 10 seconds. > persend number; > The number of packets per send. The default is 1. > ==> phase1 number timeunit; > The maximum time it should take to complete phase 1. The > default time is 15 seconds. > ==> phase2 number timeunit; > The maximum time it should take to complete phase 2. The > default time is 10 seconds. > > The phase1 and phase2 timer seems to be complete preparation timer for all > messages of the two IKE phases. > The default values are very near to the mention in the german "BSI > IT-Grundgrundschutz-Kataloge" chapter M 5.149. > Are there similar values or fix default values in strongSwan ? > > Regards > > Rainer > >> -----Ursprüngliche Nachricht----- >> Von: Andreas Steffen [mailto:[email protected]] >> Gesendet: Montag, 28. November 2011 22:24 >> An: STRANSKY Rainer - Contractor >> Cc: [email protected] >> Betreff: Re: [strongSwan] IKEv1 phase 1 and 2 timeouts >> >> Hi Rainer, >> >> 15 seconds and 10 seconds are utterly masochistic! The daemon will >> be occupied with rekeying all the time! Our defaults are 3 hours >> for phase 1 and 1 hour for phase2 which is vary paranoid compared >> with commercial products which rather opt for 24h / 8h. >> >> Regards >> >> Andreas >> >> On 11/28/2011 07:42 PM, STRANSKY Rainer - Contractor wrote: >>> The German "BSI Grundschutzhandbuch" requests that timeouts for the >> IKE >>> phase 1 and 2 shall not be too large. >>> >>> As an example 15 seconds for phase 1 and 10 seconds fore phase 2 are >>> mentioned. >>> >>> What is the reason for this ? >>> >>> What are the configuration options in strongSwan for these timeout >> values ? >>> >>> Regards >>> >>> Rainer ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
