- Bronze, 100 points or more
Information gathered (so far) about SA lifetime and rekeying behavior
CISCO ASA (info as of version 8.3(2)):
Will initiate Phase 1 rekey at 50% of the negotiated (seconds) lifetime. Behavior not configurable.
Will initiate Phase 2 rekey at 95% of the negotiated (seconds) lifetime, but no later than 60 seconds before the SA expires (i.e. if < 1200 seconds negotiated). Behavior not configurable.
Will negotiate Phase 1/Phase 2 seconds/KB down to what client requests.
Will negotiate down Phase 2 (seconds) lifetime. (KB behavior untested)
Will fail initial negotiation if Phase 2 lifetime (seconds or kilobytes) on server is less than on client (will not negotiate down.)
All Windows Native L2TP (RASMAN automatic "IP security policy"):
Phase 1 lifetime is fixed, non-configurable at 28800 seconds
Phase 2 lifetime is fixed, non-configurable at 3600 seconds
Phase 2 KB is fixed, non-configurable at 250000KB
All Windows Native L2TP (RASMAN ProhibitIpSec=1 and manually installed "IP security policy"):
Phase 2 lifetime (KB and seconds) configurable.
Will initiate Phase 2 rekey 80 seconds before phase2 SA expiry (behavior not configurable.)
Linux StrongSwan Client:
Phase 1/Phase 2 lifetime (seconds) configurable, but see below
Phase 2 "rekeymargin" parameter determines (absolute) time before expiry when client initiates rekey.
Phase 2 "rekeyfuzz" can add random amounts of time when used in server mode with many connections.
Care must be taken. If the margin and fuzz total more than the lifetime, no rekey initiated.
OSX (racoonish) native client: