Expiry times
-
It may depend on other factors, including how long it took to fully renegotiate. It may have expired and not had any traffic try to pass the tunnel until then, too.
-
Ahh the no traffic scenario would make sense
As long as the tunnel is working, I should just forget about this, yes?
-
Pretty much. Though if you set keep-alive IPs on both ends of the tunnel it should stay pretty consistent.
-
Hmm ok this has got me worried again..
I do have keep alives set on all tunnels..
-
Are they set to a LAN (private) IP inside of the tunnel's defined remote subnet? If so, it should be keeping that tunnel going (and making it renegotiate when it fails)
-
Hmm, they keys seem to expire after 48mins, even though I've specified 60mins.
Yup, all keep alives are set to the remote enpoint in the remote subnet
-
Should both lifetimes be set to 3600 in pfsense 1.2.3? Currently, I only have phase 2 set to 3600, phase one is left blank
What about 2.0 BETA3 settings?
-
I think if it's left blank, 3600 is the default.
If you want to be sure, set it everywhere.
-
Thanks jimp, I'll try this when I get home (my netbook just ran out of battery!)
what is the difference between phase 1 and phase 2 lifetimes? Can I set them both to 3600? Currently, phase 2 is 3600 everywhere, and phase 1 is blank everywhere
Thanks
-
It's the time at which those phases will expire. You generally do not want them set the same, as if they renegotiate at the same time, it is more likely to cause delays.
-
Hi jimp,
I don't understand what is happening. I have set phase 1 lifetime to 28800 everywhere and phase 2 lifetime to 3600 everywhere, however the keys expire exactly 48 minutes, instead of 60.
At least it's 48 minutes consistently, but why 48? I have 3 boxes doing thisโฆ
Thanks
-
Not sure why that might be. Does it go up if you increase the timeout?
The timeout may just be a 'maximum' and rekeying earlier is actually better (more secure) than letting the keys fully expire.
We don't set a data timeout or I'd suspect it might be triggering another limit.
What shows up in the logs when it expires?
