Default IPSec session key regeneration interval in Windows 2003 Based System

Applies to: Microsoft Windows XP ProfessionalMicrosoft Windows XP Service Pack 3Microsoft Windows Server 2003 Service Pack 2


On Windows XP or Windows Server 2003, you can configure the IPSec policy either at Local Computer Policy or a GPO. Specifically, you can create multiple Filter Actions. In each Filter Action, you can specify several security methods and customize the parameters of each security method.

In the "Customer Security Method Settings" window, you can specify the settings of a security method. Among those settings, you can define the internal which means how frequently a new session key should be generated.

Two types of interval can be configured, one in kilobytes and the other in seconds. Session key regeneration will start based on whichever interval, either kilobytes or seconds, is reached first.

The UI for each interval consists of a checkbox titled "Generate a new key every", and an inputbox to type the number of either kilobytes or seconds. The user must tick the checkbox before the customized value can be inputted. This leads the user to think that if he ticked only one of the 2 internals and typed the corresponding customized value, the other unchecked interval would not be used, leaving only the ticked one controlling how frequently a new session key will be regenerated.

The fact is not that story. If either of the two intervals is not customized by leaving the checkbox unticked and no customized value being inputted, the default value of that type interval will be adopted by the system. In Windows XP and Windows Server 2003, the default values are:

Default Quick Mode lifetime: 1 hour
Default Quick Mode lifetime in KB: 100MB

Please refer to the following screenshot of that configuration window, and the explanation in the in-context help.