Date: Wed, 22 May 2002 14:46:12 +0200 From: Barry Irwin <bvi@itouchlabs.com> To: Thomas Fritz <tf@slash10.com> Cc: freebsd-security@freeBSD.ORG Subject: Re: Racoon not synchronizing keys? (was: none) Message-ID: <20020522144612.N89347@itouchlabs.com> In-Reply-To: <5.1.0.14.0.20020522104354.00b02fa8@alpha.slash10.net>; from tf@slash10.com on Wed, May 22, 2002 at 10:51:41AM %2B0200 References: <5.1.0.14.0.20020522104354.00b02fa8@alpha.slash10.net>
next in thread | previous in thread | raw e-mail | index | archive | help
The short, but not quite so perfect answer, is to adjust the lifeimes in your racoon.conf. There are two lifetimes, the IKE lifetime which can be kept short ( like 60 seconds) as this is only used for covering the negotiation of keys for the IPSEC SA's. The IPSEC SA is the second lifetime, the suggestions are that this should be kept fairly short, as each time the keys are changed, it reduces the window of opportunity that an intruder has to view your data. However, by keeping thse short as well, you would have to wait on average n/2 time units for the IPSEC SA to expire, and to be re-negotaited. One thing I have seen is the explicit KEY_EXPIRE message in the racoon debug logs. Would be nice to know how to send these explicity :-) Okay, not as helpful as I intended, but worth voicing anyway. Barry On Wed 2002-05-22 (10:51), Thomas Fritz wrote: > Hi again! > > Forgot the subject the first time... > > I already got an answer to my question, which stated, > that I should use manual keys instead. > > But that's not an option for me. > > Is there really no other solution? > > Thanks > /tom > > > >Hi there! > > > >On the URL http://www.onlamp.com/pub/a/bsd/2001/12/10/ipsec.html I found > >this warning below: > > > >One other word of warning -- if you reboot one of the hosts, and suddenly > >have connectivity problems, flush the keys on both machines by running > >setkey -F. It's possible for the keys to get out of sync. > > > > > >Is there any way to overcome this problem without flushing the keys by hand? > > > > > >Thanks in advance > > > >/tom > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > -- Barry Irwin bvi@itouchlabs.com +27214875177 Systems Administrator: Networks And Security Itouch Labs http://www.itouchlabs.com South Africa To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020522144612.N89347>