From owner-freebsd-security@FreeBSD.ORG  Sat Aug  9 03:39:49 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9EC3A37B401
	for <freebsd-security@freebsd.org>;
	Sat,  9 Aug 2003 03:39:49 -0700 (PDT)
Received: from buexe.b-5.de (buexe.b-5.de [80.148.32.30])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 05C8943F75
	for <freebsd-security@freebsd.org>;
	Sat,  9 Aug 2003 03:39:48 -0700 (PDT)
	(envelope-from lupe@lupe-christoph.de)
Received: from antalya.lupe-christoph.de ([172.17.0.9])h79AdiJ31776;
	Sat, 9 Aug 2003 12:39:45 +0200
Received: by antalya.lupe-christoph.de (Postfix, from userid 1000)
	id 459585CD; Sat,  9 Aug 2003 12:39:39 +0200 (CEST)
Date: Sat, 9 Aug 2003 12:39:39 +0200
To: Kevin Glick <glitch@ridiculum.woohaw.com>
Message-ID: <20030809103939.GC25445@lupe-christoph.de>
References: <20030808004556.GA2051@ridiculum.woohaw.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20030808004556.GA2051@ridiculum.woohaw.com>
User-Agent: Mutt/1.5.4i
From: lupe@lupe-christoph.de (Lupe Christoph)
cc: freebsd-security@freebsd.org
Subject: Re: IPSec delays
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Aug 2003 10:39:49 -0000

On Thursday, 2003-08-07 at 17:45:56 -0700, Kevin Glick wrote:
> I've been using IPSec and racoon alot lately creating tunnels between FreeBSD machines.  Everything works as it should once I've got it running.  I do however seem to get delays when one, or both ends of the tunnel drop or are rebooted.  On reboot, once the machine starts racoon, it takes two or three minutes for the tunnel to come back up.  If I stop and restart racoon, it takes only 60 seconds.  I'd prefer to cut this time down on both to 30 seconds or less.  Below is my racoon.conf.  I've watched the racoon logs, and it doesn't give me any errors, or failed negotiations.  Any ideas?

I had something like this with a Racoon/FreeS/WAN setup. I found out
that the algorithms did no match, and the tunnel would only be built
from the Racoon side. Seems FreeS/WAN was set up to accept a wider range
of algorithms than Racoon. I have to confess I did not understand if you
can specify more than one algorithm to Racoon.

Switch on debugging and look for rejected connection attempts.

HTH,
Lupe Christoph
-- 
| lupe@lupe-christoph.de       |           http://www.lupe-christoph.de/ |
| "Violence is the resort of the violent" Lu Tze                         |
| "Thief of Time", Terry Pratchett                                       |