Date: Thu, 11 May 2000 10:46:23 +0300 (EEST) From: Ville-Pertti Keinonen <will@iki.fi> To: dillon@apollo.backplane.com Cc: hackers@FreeBSD.ORG Subject: Re: ipsec 'replay' syslog error messages after reboot of one host Message-ID: <20000511074623.862DA587A@mail.ztango.com> In-Reply-To: <200005110733.AAA62618@apollo.backplane.com> (message from Matthew Dillon on Thu, 11 May 2000 00:33:37 -0700 (PDT)) References: <200005110127.SAA61600@apollo.backplane.com> <863dnplfpw.fsf@not.demophon.com> <200005110733.AAA62618@apollo.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> IPSec isn't well documented, but once I figured out the config > file it didn't seem too bad. I am guessing that replay prevention Reading the RFCs might be more helpful than most of the KAME documentation. There's also a lot of undocumented stuff for which the sources seem to be the only source of information (e.g. how PF_KEY v2 differs from the standard). > I had to fix up /etc/rc.network a little to load the ipsec rules > at the appropriate point (just after the interface and ipfw setup, > but before any services (like NFS) are run). I am going to put the > (relatively simple) patch for rc.network up for a quick review and > then commit it along with an example file and a reference to the > example file in the man page. Fixed security associations with an infinite lifetime are certainly not the ideal way of using IPsec. Examples of setups like this should be provided with the appropriate warnings. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000511074623.862DA587A>