[adit]

You should update the firmware on both routers to the latest available.

-----------------------------------------------------------------------

SA Lifetime Guidelines:

2 Static IP's
86400 both ends

1 Static 1 Dynamic IP
3600 both ends

2 Dynamic IP's
3600 both ends

VPN Client
1.x Firmware (old style blue, Netgear)
3600 router, leave client at defaults (blank)

2.x/3.x Firmwares (new style orange, TeamF1)
3600-86400, usually 14400 router, leave client at defaults (blank)

The newer TeamF1 firmwares do not renegotiate VPN Client SA expirations. Set the SA Lifetime to the expected connection time. I use 14400 (4 hours) as a good compromise in an office setting.

Longer SA's are fine but keep in mind that the client tunnel does not drop unless it is disconnected at the client or the router SA expires. If they lose Internet connectivity the SA on the router stays up, burning 1 tunnel until the SA expires.


SA = Security Association

-----------------------------------------------------------------------