Is this a really bad idea?

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by ca_picker, Nov 18, 2007.

  1. ca_picker

    ca_picker LI Guru Member

    I have found increased stability with an RV042<->RV042 Gateway-to-gateway VPN connection by setting the Phase 2 lifetime to 900 seconds (15 minutes). A tip-off in another thread re: clock drift led me to experiment with this. Higher values and the tunnel seems to go stale; neither DPD nor Keep-alive do their jobs at keeping the tunnel up. Both RV042's show the tunnel as connected, but actual connections between sites fail.

    What is the downside to a relatively short Phase 2 lifetime? FWIW, I am going with a Phase 1 lifetime of 28800 (8 hrs).
     
  2. blake_

    blake_ LI Guru Member

    I might be completely wrong, but the lifetime just refers to how long the key used for encryption is active before getting changed. Lower lifetimes --> less time available to crack --> more secure, but also would require more traffic/processing to negotiate the new keys (minimal though). I guess it could also be a form of keepalive seeing as it's sending traffic over what may be an otherwise idle tunnel.

    So to answer your question (maybe incorrectly) there isn't really any downside.
     
  3. ca_picker

    ca_picker LI Guru Member

    My concern is whether that short of a P2 lifetime would disrupt any active connections at the end of the lifetime. I haven't noticed anything yet, but I also haven't really tested it.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice