[vpn-help] Questions About Life Bytes

Matthew Grooms mgrooms at shrew.net
Mon May 16 12:09:51 CDT 2011


On 4/9/2011 5:23 PM, Mark Larwill wrote:
> On the Shrew website one of the known issues listed is:
>
> "Will negotiate but not honor lifetime kilobytes for SAs"
>
> I have a few questions about this:
>
> Is there any more detailed information about what this means?
> Does this apply for both phase-1 and phase-2?
> What happens if "Key Life Data Limit" values are set in the user interface?
> Are there any known problems that can occur as a result of this limitation?
>

The life bytes parameter was added because some gateway configurations 
will only negotiate with a peer if they supply the parameter. The client 
does not enforce the life byte restriction. This means that you could 
potentially encounter a situation where the peer thinks the SA has 
expired ( due to the life bytes max being reached ) but the local client 
still thinks its valid.

-Matthew



More information about the vpn-help mailing list