Hi,
using ipsec, there are two lifetime values which can be configured:
One is the
/ip ipsec proposal lifetime
and the other is the
/ip ipsec peer lifetime
a) Can some please explain the relationship between these lifetimes values
b) Should the proposal lifetime < peer lifetime
c) Or any other rule here?
Thanks a lot for some expert knowledge.
Achim
-
-
NetVicious
Member Candidate
- Posts: 128
- Joined:
- Location: Spain
Re: ipsec lifetime clarification
Proposal it's the phase 2 of IPSec and it's lifetime means when it should renew the SAs used.
Peer it's the phase 1 of IPSec and it's lifetime means when it should close the current connection and create a new one.
On the IP / IpSec / Peers you could see the phase 1, and if you double-click one you will see the established time. This one should never be greater than the phase 1 lifetime.
On the Installed SAs tab you have the same but for phase 2.
Peer it's the phase 1 of IPSec and it's lifetime means when it should close the current connection and create a new one.
On the IP / IpSec / Peers you could see the phase 1, and if you double-click one you will see the established time. This one should never be greater than the phase 1 lifetime.
On the Installed SAs tab you have the same but for phase 2.