![Black Box LS1016A User Manual Download Page 401](http://html.mh-extra.com/html/black-box/ls1016a/ls1016a_user-manual_2763435401.webp)
Appendix G - IPSEC
User Guide
401
Conn Parameters: Manual Keying
The following parameters are relevant only to manual keying, and are ignored in automatic
keying. Unless otherwise noted, for a connection to work, in general it is necessary for the
two ends to agree exactly on the values of these parameters. A manually-keyed connection
must specify at least one of AH or ESP.
keylife
How long a particular instance of a connection (a set of encryption/
authentication keys for user packets) should last, from successful negotia-
tion to expiry. Acceptable values are an integer optionally followed by
s
(a
time in seconds) or a decimal number followed by
m, h,
or
d
(a time in
minutes, hours, or days respectively) (default
8.0h
, maximum
24h
).
rekey
Whether a connection should be renegotiated when it is about to expire.
Acceptable values are
yes
(the default) and
no
.
rekeymargin
How long before connection expiry or keying-channel expiry should
attempts to negotiate a replacement begin. Acceptable values as for
key-
life
(default
9m
).
rekeyfuzz
Maximum percentage by which
rekeymargin
should be randomly
increased to randomize rekeying intervals (important for hosts with many
connections). Acceptable values are an integer, which may exceed 100,
followed by a “%.”
keyingtries
How many attempts (an integer) should be made to negotiate a connec-
tion, or a replacement for one, before giving up (default
3
). The value
0
means “never give up.”
ikelifetime
How long the keying channel of a connection (buzzphrase: ISAKMP SA)
should last before being renegotiated. Acceptable values as for
keylife
.
compress
Whether IPComp compression of content is desired on the connection.
Acceptable values are
yes
and
no
(the default).
spi or spibase
Spi
or
spibase
isrequired for manual keying. the SPI number to be
used for the connection. Must be of the form
0xhex
, where
hex
is
one or more hexadecimal digits. (Note: it will generally be neces-
sary to make
spi
at least
0x100
to be acceptable to KLIPS, and use
of SPIs in the range 0
x100-0xfff
is recommended.)