From owner-freebsd-questions  Fri Sep  6 15: 3:17 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6B47637B400
	for <questions@FreeBSD.ORG>; Fri,  6 Sep 2002 15:03:11 -0700 (PDT)
Received: from fep6.cogeco.net (smtp.cogeco.net [216.221.81.25])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 00E1D43E6E
	for <questions@FreeBSD.ORG>; Fri,  6 Sep 2002 15:03:11 -0700 (PDT)
	(envelope-from dlavigne6@cogeco.ca)
Received: from d226-39-211.home.cgocable.net (d226-39-211.home.cgocable.net [24.226.39.211])
	by fep6.cogeco.net (Postfix) with ESMTP
	id 07A5163B2; Fri,  6 Sep 2002 18:03:03 -0400 (EDT)
Date: Fri, 6 Sep 2002 18:09:43 -0400 (EDT)
From: Dru <dlavigne6@cogeco.ca>
X-X-Sender: dlavigne6@x1-6-00-80-c8-3a-b8-46.kico2.on.cogeco.ca
To: Tillman Hodgson <tillman@seekingfire.com>
Cc: Mike Tancsa <mike@sentex.net>, <questions@FreeBSD.ORG>
Subject: Re: IPSEC & routing w/o gif
In-Reply-To: <20020906155604.A15339@seekingfire.com>
Message-ID: <20020906180753.R164-100000@x1-6-00-80-c8-3a-b8-46.kico2.on.cogeco.ca>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG



On Fri, 6 Sep 2002, Tillman Hodgson wrote:

> On Fri, Sep 06, 2002 at 04:33:54PM -0400, Dru wrote:
> > Hi Tillman,
> >
> > It is odd that there are 4 entries; you should only have 4 when using both
> > ESP and AH as there should be one per direction per protocol (ESP or AH).
> > How many SAs are on the FreeSwan box?
> >
> > Are you absoutely sure both lifetimes are the same on both boxes? I've
> > been known to forget before that vendors sometimes think in seconds, minutes,
> > or hours with very little consistency :)
>
> Absolutely. Here's the relevent sections of the config files:

<snip>

Out of curiosity, why is your IKE SA shorter than your IPSEC SA? (that
might be the problem). The IKE SA says how often the negotiated parameters
are valid and is usually fairly long, say 24 hours. The IPSEC SA states
how often the key changes which should be often, say every hour.

HTH,

Dru


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message