From owner-freebsd-questions  Fri Mar  8 21:55:11 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mail.mobilitylab.net (goldorak.ericsson.ca [192.75.89.161])
	by hub.freebsd.org (Postfix) with SMTP id 0CA0237B404
	for <freebsd-questions@freebsd.org>; Fri,  8 Mar 2002 21:55:09 -0800 (PST)
Received: (qmail 15887 invoked from network); 9 Mar 2002 00:55:02 -0500
Received: from unknown (HELO mobilitylab.net) (172.20.2.2)
  by goldorak.mobilitylab.net with SMTP; 9 Mar 2002 00:55:02 -0500
From: "Martin Gignac" <freebsd@mobilitylab.net>
To: freebsd-questions@freebsd.org
Subject: IPSec, IKE and reboot question...
Date: Sat, 9 Mar 2002 00:55:02 -0500
Message-Id: <20020309005502.M82821@mobilitylab.net>
X-Mailer: Open WebMail 1.62 20020309
X-OriginatingIP: 172.20.2.2 (freebsd)
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Hi,

I've installed and configured the racoon port on two FreeBSD 4.4 systems and 
have set-up an ESP transport-mode IPSec security policy and security 
association between them. All traffic from one to the other is automatically 
encrypted. IKE works fine and I have set-up the machines to run racoon and 
configure setkey on boot-up in /etc/rc.local and /etc/rc.conf respectively.

Now my problem is that when _one_ of the servers reboots, it can't set-up a 
new SA with the other server because the "old" SP and SA on the other server 
refuse to recognize the unencrypted traffic generated by the rebooted 
server's wish to exchange key information on UDP port 500. The rebooted 
server always ends up having to wait for the other server's SA to expire (it 
is set to 3600 seconds on both) so that the latter can "drop its guard" and 
accept unencrypted traffic from the rebooted server to perform the key 
exchange.

Short of reducing the key lifetime to a smaller value, is there another way 
to allow for a prompt and proper key exchange between the two servers after 
one of them reboots?

Thanks,
-Martin

--
Open WebMail Project (http://openwebmail.org)


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message