Manualshelf

User guide

ManualsBrandsBlack Box ManualsComputer equipmentACS120
401402403404405406407408409410
Appendix G - IPSEC
User Guide 401
Conn Parameters: Manual Keying
The following parameters are relevant only to manual keying, and are ignored in automatic
keying. Unless otherwise noted, for a connection to work, in general it is necessary for the
two ends to agree exactly on the values of these parameters. A manually-keyed connection
must specify at least one of AH or ESP.
keylife How long a particular instance of a connection (a set of encryption/
authentication keys for user packets) should last, from successful negotia-
tion to expiry. Acceptable values are an integer optionally followed by s (a
time in seconds) or a decimal number followed by m, h, or d (a time in
minutes, hours, or days respectively) (default 8.0h, maximum 24h).
rekey Whether a connection should be renegotiated when it is about to expire.
Acceptable values are yes (the default) and no.
rekeymargin How long before connection expiry or keying-channel expiry should
attempts to negotiate a replacement begin. Acceptable values as for key-
life (default 9m).
rekeyfuzz Maximum percentage by which rekeymargin should be randomly
increased to randomize rekeying intervals (important for hosts with many
connections). Acceptable values are an integer, which may exceed 100,
followed by a %.
keyingtries How many attempts (an integer) should be made to negotiate a connec-
tion, or a replacement for one, before giving up (default 3). The value 0
means never give up.
ikelifetime How long the keying channel of a connection (buzzphrase: ISAKMP SA)
should last before being renegotiated. Acceptable values as for keylife.
compress Whether IPComp compression of content is desired on the connection.
Acceptable values are yes and no (the default).
spi or spibase Spi or spibase isrequired for manual keying. the SPI number to be
used for the connection. Must be of the form 0xhex, where hex is
one or more hexadecimal digits. (Note: it will generally be neces-
sary to make spi at least 0x100 to be acceptable to KLIPS, and use
of SPIs in the range 0x100-0xfff is recommended.)