| Mike Drechsler - SPAM PROTECTED EMAIL 2005-08-29, 2:46 am |
| Vince wrote:
> Mike,
>
> Thanks for the feedback. I will setup the IPSEC w/3DES as soon as I
> get the other routers and report back.
>
> You mentioned that the DES keys are changed when the phase 1 connection
> is renegotiated. If I have a persistent 24-hour scheduled connection
> for the tunnel, would the phase 1 keys theoretically not change until
> it was "bounced" by external factors (power, ISP burp etc.) ?
>
There is a setting in the Phase 1 configuration that will determine the
length of time or amount of data before a rekey event. Default settings
are for 28800 seconds and no data amount restriction. It's in the
advanced IKE Phase 1 options screen. I cannot remember exactly, but I
believe that the keys are renegotiated sometime before they actually
expire similar to a DHCP lease, since this would be disruptive to the
link if it waited until the limits. There is a preference to use the
new security association (key) immediately after it's established or to
wait until the old one expires. I don't know that it makes much
difference except in the case where you are trying to tweak a connection
between the routers of two different manufacturers.
--
WARNING! Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)
|