![]() The standard allows that a tunnel has different lifetimes on both sides of the connection. The lifetime of the tunnels is explicitly not negotiated. Frequent changes of Phase 2 tunnels only lead to a little more data traffic and a little more computing work on both sides of the connection. ![]() This is why even with a very short lifetime of just a few minutes, the impression of an uninterrupted connection is created. With Phase 2, the tunnels are seamlessly connected, meaning that not a single data packet is lost during the exchange. VPN Tracker always negotiates new tunnels in time before the lifetime expires, so that the connection is normally never interrupted. Thus, Phase 1 may have a shorter lifetime than Phase 2. A Phase 2 tunnel may continue to exist, even if the Phase 1 tunnel over that it was negotiated no longer exists. The lifetimes of the two phases are basically independent of each other. If possible, it is always recommended to use Perfect Forward Secrecy (PFS) in Phase 2, which slows down the Phase 2 connection setup a bit, but completely decouples Phase 2 cryptographically from Phase 1, since an independent session key is negotiated and not derived from the session key of Phase 1. Also, large amounts of data are encrypted via the Phase 2 tunnels, so you should not set their lifetime too high. The Phase 2 tunnels are used to encrypt the actual data traffic, so the settings here directly influence the overhead, latency and speed of the VPN connection and must be weighed against the security. Since very little data is ever sent through the Phase 1 tunnel, there is no reason not to choose a very long lifetime. The Phase 1 tunnel has no influence on the VPN speed, only on the initial connection setup, so there is never any reason why you should not always work with the strongest protection in Phase 1, that both sides can support. Only IKE messages are exchanged via the Phase 1 tunnel, which are used to keep the Phase 1 connection alive and to negotiate Phase 2 tunnels if necessary. The IKE Phase 1 tunnel is only used to ensure a secure connection between VPN client and VPN gateway, comparable to a TLS connection (i.e. The longer a tunnel is alive, the more time an attacker has for an attack and the more data is encrypted with the same session key, which reduces the effort for attackers to find the key. The main reason why the lifetime of IPSec tunnels is limited is security.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |