From owner-freebsd-security@FreeBSD.ORG  Thu Aug  7 17:46:02 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id ABE8C37B404
	for <freebsd-security@freebsd.org>;
	Thu,  7 Aug 2003 17:45:58 -0700 (PDT)
Received: from ridiculum.woohaw.com (ridiculum.woohaw.com [206.107.23.194])
	by mx1.FreeBSD.org (Postfix) with SMTP id 7E35F43FAF
	for <freebsd-security@freebsd.org>;
	Thu,  7 Aug 2003 17:45:57 -0700 (PDT)
	(envelope-from glitch@ridiculum.woohaw.com)
Received: (qmail 2238 invoked by uid 1000); 8 Aug 2003 00:45:56 -0000
Date: Thu, 7 Aug 2003 17:45:56 -0700
From: Kevin Glick <glitch@ridiculum.woohaw.com>
To: freebsd-security@freebsd.org
Message-ID: <20030808004556.GA2051@ridiculum.woohaw.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.4i
Subject: IPSec delays
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Aug 2003 00:46:02 -0000

I've been using IPSec and racoon alot lately creating tunnels between FreeBSD machines.  Everything works as it should once I've got it running.  I do however seem to get delays when one, or both ends of the tunnel drop or are rebooted.  On reboot, once the machine starts racoon, it takes two or three minutes for the tunnel to come back up.  If I stop and restart racoon, it takes only 60 seconds.  I'd prefer to cut this time down on both to 30 seconds or less.  Below is my racoon.conf.  I've watched the racoon logs, and it doesn't give me any errors, or failed negotiations.  Any ideas?

path pre_shared_key "/usr/local/etc/racoon/psk.txt";

remote anonymous
{

        exchange_mode aggressive;
        doi ipsec_doi;
        situation identity_only;

\

        nonce_size 256;
        lifetime time 30 min;   # sec,min,hour
        initial_contact on;
        support_mip6 off;
        proposal_check obey;    # obey, strict or claim

        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key ;
                dh_group 2 ;
        }
}

sainfo anonymous
{
        pfs_group 1;
        lifetime time 30 min;
        encryption_algorithm 3des ;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate ;
}


Kevin Glick
glitch@ridiculum.woohaw.com