From owner-freebsd-security Wed May 22 5:46:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.dev.itouchnet.net (devco.net [196.15.188.2]) by hub.freebsd.org (Postfix) with ESMTP id 3D9DD37B40B for ; Wed, 22 May 2002 05:46:10 -0700 (PDT) Received: from nobody by mx1.dev.itouchnet.net with scanned_ok (Exim 3.33 #2) id 17AVZl-000C1O-00 for freebsd-security@freebsd.org; Wed, 22 May 2002 14:50:45 +0200 Received: from shell.devco.net ([196.15.188.7]) by mx1.dev.itouchnet.net with esmtp (Exim 3.33 #2) id 17AVZk-000C19-00; Wed, 22 May 2002 14:50:44 +0200 Received: from bvi by shell.devco.net with local (Exim 3.33 #4) id 17AVVM-000NwW-00; Wed, 22 May 2002 14:46:12 +0200 Date: Wed, 22 May 2002 14:46:12 +0200 From: Barry Irwin To: Thomas Fritz Cc: freebsd-security@freeBSD.ORG Subject: Re: Racoon not synchronizing keys? (was: none) Message-ID: <20020522144612.N89347@itouchlabs.com> References: <5.1.0.14.0.20020522104354.00b02fa8@alpha.slash10.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.1.0.14.0.20020522104354.00b02fa8@alpha.slash10.net>; from tf@slash10.com on Wed, May 22, 2002 at 10:51:41AM +0200 X-Checked: This message has been scanned for any virusses and unauthorized attachments. X-iScan-ID: 46210-1022071845-29960@mx1.dev.itouchnet.net version $Name: REL_2_0_2 $ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The short, but not quite so perfect answer, is to adjust the lifeimes in your racoon.conf. There are two lifetimes, the IKE lifetime which can be kept short ( like 60 seconds) as this is only used for covering the negotiation of keys for the IPSEC SA's. The IPSEC SA is the second lifetime, the suggestions are that this should be kept fairly short, as each time the keys are changed, it reduces the window of opportunity that an intruder has to view your data. However, by keeping thse short as well, you would have to wait on average n/2 time units for the IPSEC SA to expire, and to be re-negotaited. One thing I have seen is the explicit KEY_EXPIRE message in the racoon debug logs. Would be nice to know how to send these explicity :-) Okay, not as helpful as I intended, but worth voicing anyway. Barry On Wed 2002-05-22 (10:51), Thomas Fritz wrote: > Hi again! > > Forgot the subject the first time... > > I already got an answer to my question, which stated, > that I should use manual keys instead. > > But that's not an option for me. > > Is there really no other solution? > > Thanks > /tom > > > >Hi there! > > > >On the URL http://www.onlamp.com/pub/a/bsd/2001/12/10/ipsec.html I found > >this warning below: > > > >One other word of warning -- if you reboot one of the hosts, and suddenly > >have connectivity problems, flush the keys on both machines by running > >setkey -F. It's possible for the keys to get out of sync. > > > > > >Is there any way to overcome this problem without flushing the keys by hand? > > > > > >Thanks in advance > > > >/tom > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > -- Barry Irwin bvi@itouchlabs.com +27214875177 Systems Administrator: Networks And Security Itouch Labs http://www.itouchlabs.com South Africa To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message