From owner-freebsd-security  Sat May 25  6:33:25 2002
Delivered-To: freebsd-security@freebsd.org
Received: from web14603.mail.yahoo.com (web14603.mail.yahoo.com [216.136.224.83])
	by hub.freebsd.org (Postfix) with SMTP id 0A95737B405
	for <FreeBSD-Security@FreeBSD.ORG>; Sat, 25 May 2002 06:33:16 -0700 (PDT)
Message-ID: <20020525133315.86705.qmail@web14603.mail.yahoo.com>
Received: from [66.156.12.58] by web14603.mail.yahoo.com via HTTP; Sat, 25 May 2002 06:33:15 PDT
Date: Sat, 25 May 2002 06:33:15 -0700 (PDT)
From: Jerry Murdock <jerry_murdock@yahoo.com>
Subject: Re: Racoon SA Hard/Soft Lifetimes 
To: Shoichi Sakane <sakane@kame.net>
Cc: FreeBSD-Security@FreeBSD.ORG
In-Reply-To: <20020525122004P.sakane@kame.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

--- Shoichi Sakane <sakane@kame.net> wrote:
> > I've successfully got a 2day old -Stable build to talk IPSEC/IKE with a
> > Sonicwall, but things fall apart when the SAs hit the soft lifetime limit. 
> 
> > 
> > A new SA is successfully negotiated with the Sonicwall when the soft
> lifetime
> > runs out, but the Sonicwall then ignores anything coming into it on the
> "old"
> > SA(which FBSD uses until the hard lifetime runs out).  
> 
> if your system has "net.key.preferred_oldsa" system wide value,
> you can configure the kernel using new SA immediately.
> 
> try like the following,
> 	# sysctl -w net.key.preferred_oldsa=0

Sounds like exactly what I was looking for, unfortunately it doesn't seem to
have any effect.

I still see the counters for the old SA incrementing, and nothing going out the
new SA until the old one expires completely.

For now, I've modified racoon to set the soft lifetime to "hard lifetime - 10
seconds."  The value seems to work quite well for the connection in question
with no apparent key-renegotiation packet loss.

Thanks,
Jerry


__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message