proposed value sent by the remote system if it is within the range specified by the IPsec protocol suite.
Windows IKE SA Lifetime Values
By default, Windows XP systems use the following values for preferred IKE key lifetime values:
480 minutes (eight hours)
0 (infinite) IPsec SA negotiations (sessions)
In testing with
The default maximum QM values are as follows:
Windows: 0 (infinite)
If the value for maximum QM is 1, Perfect Forward Secrecy (PFS) for both keys and identities is implemented. See “Perfect Forward Secrecy (PFS)” (page 43) for more information.
Perfect Forward Secrecy (PFS)With Perfect Forward Secrecy, the exposure of one key permits access only to data protected by that key. RFC 2409, The Internet Key Exchange (IKE), defines two forms of PFS:
•PFS for both the keys and the IKE identities. PFS is provided for keys in conjuction with PFS for identities. IKE deletes the IKE SA after the IPsec negotiation completes. Each IKE SA is used for only one IPsec negotiation.
The Windows interface refers to this type of PFS as master key PFS.
•PFS for IPsec keys only. The IKE peers perform a key exchange
The Windows interface refers to this type of PFS as session key PFS.
Configuring PFS is computationally expensive. In most topologies, the strength of the cryptographic algorithms is sufficient protection. HP recommends that you enable PFS only in hostile environments.
IPsec SA Key (Session Key) Lifetime ValuesIPsec SA key lifetimes (referred to as session key lifetimes on Windows systems) specify the maximum lifetimes for IPsec SA keys and are specified by units of time (seconds) and by data units transferred (kbytes).
By default,
28,800 seconds (eight hours)
0 (infinite) data units
Comparing