×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Rekey Timout Behaviors ASA/Various clients

Document

Wed, 02/09/2011 - 22:04
Sep 10th, 2010
User Badges:
  • Bronze, 100 points or more

Information gathered (so far) about SA lifetime and rekeying behavior


CISCO ASA (info as of version 8.3(2)):

  Will initiate Phase 1 rekey at 50% of the negotiated (seconds) lifetime.  Behavior not configurable.

  Will initiate Phase 2 rekey at 95% of the negotiated (seconds) lifetime, but no later than 60 seconds before the SA expires (i.e. if < 1200 seconds negotiated).  Behavior not configurable.

  Will negotiate Phase 1/Phase 2 seconds/KB down to what client requests.


Windows XP:

  Will negotiate down Phase 2 (seconds) lifetime.  (KB behavior untested)


Windows Vista/Win7:

  Will fail initial negotiation if Phase 2 lifetime (seconds or kilobytes) on server is less than on client (will not negotiate down.)


All Windows Native L2TP (RASMAN automatic "IP security policy"):

  Phase 1 lifetime is fixed, non-configurable at 28800 seconds

  Phase 2 lifetime is fixed, non-configurable at 3600 seconds

  Phase 2 KB is fixed, non-configurable at 250000KB


All Windows Native L2TP (RASMAN ProhibitIpSec=1 and manually installed "IP security policy"):

  Phase 2 lifetime (KB and seconds) configurable.

  Will initiate Phase 2 rekey 80 seconds before phase2 SA expiry (behavior not configurable.)


Linux StrongSwan Client:

  Phase 1/Phase 2 lifetime (seconds) configurable, but see below

  Phase 2 "rekeymargin" parameter determines (absolute) time before expiry when client initiates rekey.

  Phase 2 "rekeyfuzz" can add random amounts of time when used in server mode with many connections.

  Care must be taken.  If the margin and fuzz total more than the lifetime, no rekey initiated.


OSX (racoonish) native client:

  still untested

Loading.

Actions

This Document