Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
485
Views
0
Helpful
2
Replies

Sense for lifetime of phase 1 and active PFS on phase 2

krystianstrycharz
Level 1
Level 1

‎04-12-2017 01:57 AM

If i set lifetime for phase 1 ISAKMP equal 3600 seconds, has it sense to set PFS and lifetime for phase 2 IPSec equal 3600 seconds? I understand it's sufficently to set only PFS and lifetime of phase 2, because anyhow after 3600 sec. PFS enforces new phase 1 tunnel and new key materials.

Could you refer to this? Thanks for help in advance!

Labels:
0 Helpful
2 Replies 2

ajay chauhan
Level 7
Level 7

‎04-13-2017 01:31 AM

I do not see any great reason to keep both same for phase -1 and phase -2 . Best practice phase-1 should always be greater than phase-2.

Ajay

0 Helpful

krystianstrycharz
Level 1
Level 1
In response to ajay chauhan

‎04-13-2017 02:01 AM

Ok, what in case when phase1 is greater than phase2? Is it lifetime of phase1 has any meaning? Because when lifetime of phase2 expires then new phase1 is enforced. 

0 Helpful
Customers Also Viewed These Support Documents