Mar 122012
 

Some Infos were found here

Information gathered (so far) about SA lifetime and rekeying behavior

CISCO ASA (info as of version 8.3(2)):
Will initiate Phase 1 rekey at 50% of the negotiated (seconds) lifetime.  Behavior not configurable.
Will initiate Phase 2 rekey at 95% of the negotiated (seconds) lifetime, but no later than 60 seconds before the SA expires (i.e. if < 1200 seconds negotiated).  Behavior not configurable.
Will negotiate Phase 1/Phase 2 seconds/KB down to what client requests.

Windows XP:
Will negotiate down Phase 2 (seconds) lifetime.  (KB behavior untested)

Windows Vista/Win7:
Will fail initial negotiation if Phase 2 lifetime (seconds or kilobytes) on server is less than on client (will not negotiate down.)

All Windows Native L2TP (RASMAN automatic “IP security policy”):
Phase 1 lifetime is fixed, non-configurable at 28800 seconds
Phase 2 lifetime is fixed, non-configurable at 3600 seconds
Phase 2 KB is fixed, non-configurable at 250000KB

All Windows Native L2TP (RASMAN ProhibitIpSec=1 and manually installed “IP security policy”):
Phase 2 lifetime (KB and seconds) configurable.
Will initiate Phase 2 rekey 80 seconds before phase2 SA expiry (behavior not configurable.)

Linux StrongSwan Client:
Phase 1/Phase 2 lifetime (seconds) configurable, but see below
Phase 2 “rekeymargin” parameter determines (absolute) time before expiry when client initiates rekey.
Phase 2 “rekeyfuzz” can add random amounts of time when used in server mode with many connections.
Care must be taken.  If the margin and fuzz total more than the lifetime, no rekey initiated.

OSX (racoonish) native client:
still untested (I believe its 3600 seconds)

ShrewSoft VPN: Phase 2 timeout can be configured

VPNC (Linux): 28800 seconds

 

In addition I found that ASA with current Firmware (as of 02/2012) will freeze the tunnel during renegotiation for some seconds (~10 seconds)

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)