VPN Lifetime Best Practices - What are your opinions....

Unanswered Question
May 8th, 2007


I have been talking with some peers of mine regarding the Phase1 and Phase2 lifetimes in IKE/IPSEC and wondering if they should be tweaked to accomplish a "best practices" sceanrio.

One argument is to make phase 1 and phase 2 the same lifetime...as they take place independant, i really don't see what value there is in this, but don't see the downside either.

The default is 24 hours for IKE Phase 1 and 8 hours for phase 2, what is your opinion on what they should be, and perhaps a reason why i should change the default.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
visaxena Sat, 05/12/2007 - 22:06

Why we bother to change the user password in every 45 days or so? because our security policy say so for the real security reasons.

The same is with P1 and P2 SAs.

They are there for the security reasons.

If the man in the middle got the p2 key through brute force or someother means and if the p2 has been configured to not to rekey then you will loose the security of your entire session/lifetime of the VPN tunnel.

If P2 has been configured to rekey at specified intervals then you will loose the security for that session only. Because, the key is going to change for the next session; which can be difined based on the amount of traffic or time.

If the stress is on specified P2 rekey intervals then PFS should be used otherwise if the key mat is comprimised then there is no use of rekey. PFS maintains that to generate the new key the key mat (key generating material) should not be used if it has been already used thereby mainting the raw material unique to generate the key.

Cisco Routers uses independent SA for both P1 and P2 where as PIX uses chanelised SA. The difference in both is that the P2 sa is not tied to the isa sa in one and is tied to the P1 sa in another. Routers have independent P1 and P2 sa and that's the reason why you see the tunnel working even when there is no P1 sa. Opposite in PIXes.

Specification says that the lesser lifetime in any of the phases has to honored by the initiator/responder; however, this is where the different implemenations failed to bring up the tunnel; so, keep the lifetime same on both the sides.

My opinion is to leave them as it is if the other side is of the same breed and vendor otherwise match ON BOTH SIDES to whatever you security policy says.



This Discussion