Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Expiry times

    Scheduled Pinned Locked Moved IPsec
    13 Posts 2 Posters 3.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • jimpJ
      jimp Rebel Alliance Developer Netgate
      last edited by

      Pretty much. Though if you set keep-alive IPs on both ends of the tunnel it should stay pretty consistent.

      Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • J
        jonnytabpni
        last edited by

        Hmm ok this has got me worried again..

        I do have keep alives set on all tunnels..

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          Are they set to a LAN (private) IP inside of the tunnel's defined remote subnet? If so, it should be keeping that tunnel going (and making it renegotiate when it fails)

          Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • J
            jonnytabpni
            last edited by

            Hmm, they keys seem to expire after 48mins, even though I've specified 60mins.

            Yup, all keep alives are set to the remote enpoint in the remote subnet

            1 Reply Last reply Reply Quote 0
            • J
              jonnytabpni
              last edited by

              Should both lifetimes be set to 3600 in pfsense 1.2.3? Currently, I only have phase 2 set to 3600, phase one is left blank

              What about 2.0 BETA3 settings?

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                I think if it's left blank, 3600 is the default.

                If you want to be sure, set it everywhere.

                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • J
                  jonnytabpni
                  last edited by

                  Thanks jimp, I'll try this when I get home (my netbook just ran out of battery!)

                  what is the difference between phase 1 and phase 2 lifetimes? Can I set them both to 3600? Currently, phase 2 is 3600 everywhere, and phase 1 is blank everywhere

                  Thanks

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    It's the time at which those phases will expire. You generally do not want them set the same, as if they renegotiate at the same time, it is more likely to cause delays.

                    Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • J
                      jonnytabpni
                      last edited by

                      Hi jimp,

                      I don't understand what is happening. I have set phase 1 lifetime to 28800 everywhere and phase 2 lifetime to 3600 everywhere, however the keys expire exactly 48 minutes, instead of 60.

                      At least it's 48 minutes consistently, but why 48? I have 3 boxes doing thisโ€ฆ

                      Thanks

                      1 Reply Last reply Reply Quote 0
                      • jimpJ
                        jimp Rebel Alliance Developer Netgate
                        last edited by

                        Not sure why that might be. Does it go up if you increase the timeout?

                        The timeout may just be a 'maximum' and rekeying earlier is actually better (more secure) than letting the keys fully expire.

                        We don't set a data timeout or I'd suspect it might be triggering another limit.

                        What shows up in the logs when it expires?

                        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.