[vpn-help] Phase 2 lifetime size larger than 1000000
Matthew Grooms
mgrooms at shrew.net
Tue Jan 4 02:26:28 CST 2011
On 1/3/2011 3:32 AM, Gert Van Gool wrote:
> Hi all,
>
> I'm having troubles with my configuration of a VPN.
> This VPN is currently configured on a Juniper SSG5. But we need/want
> to move it to a different server.
> However we can't change anything but the connecting IP on this configuration.
>
> I can fill in everything apart from the P2 lifetime size, this should
> be 4194303 but max size is 1000000.
> Is there a way to circumvent it (directly editing configuration file)?
>
You do realize that using a phase2 timeout of 1000000 will allow SA's to
exist for over 11 days? A typical IPsec SA only lives for an hour or so.
Even a typical ISAKMP SA only lives for 8 to 24 hours. In any case, I
suppose you could manually edit the phase2-life-secs value in the
registry or a file depending on the platform you use. On Windows, the
value is stored under ...
HKEY_CURRENT_USER\Software\ShrewSoft\vpn\site\[site name]
... and on Linux/BSD/OSX its stored in the file ...
~/.ike/sites/[site name]
-Matthew
More information about the vpn-help
mailing list