1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is this a really bad idea?

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by ca_picker, Nov 18, 2007.

  1. ca_picker

    ca_picker LI Guru Member

    I have found increased stability with an RV042<->RV042 Gateway-to-gateway VPN connection by setting the Phase 2 lifetime to 900 seconds (15 minutes). A tip-off in another thread re: clock drift led me to experiment with this. Higher values and the tunnel seems to go stale; neither DPD nor Keep-alive do their jobs at keeping the tunnel up. Both RV042's show the tunnel as connected, but actual connections between sites fail.

    What is the downside to a relatively short Phase 2 lifetime? FWIW, I am going with a Phase 1 lifetime of 28800 (8 hrs).
     
  2. blake_

    blake_ LI Guru Member

    I might be completely wrong, but the lifetime just refers to how long the key used for encryption is active before getting changed. Lower lifetimes --> less time available to crack --> more secure, but also would require more traffic/processing to negotiate the new keys (minimal though). I guess it could also be a form of keepalive seeing as it's sending traffic over what may be an otherwise idle tunnel.

    So to answer your question (maybe incorrectly) there isn't really any downside.
     
  3. ca_picker

    ca_picker LI Guru Member

    My concern is whether that short of a P2 lifetime would disrupt any active connections at the end of the lifetime. I haven't noticed anything yet, but I also haven't really tested it.
     

Share This Page