Date: Tue, 10 Sep 2002 20:38:33 -0600 From: Tillman Hodgson <tillman@seekingfire.com> To: Dru <dlavigne6@cogeco.ca> Cc: Mike Tancsa <mike@sentex.net>, questions@FreeBSD.ORG Subject: Re: IPSEC & routing w/o gif Message-ID: <20020910203833.A4107@seekingfire.com> In-Reply-To: <20020906180753.R164-100000@x1-6-00-80-c8-3a-b8-46.kico2.on.cogeco.ca>; from dlavigne6@cogeco.ca on Fri, Sep 06, 2002 at 06:09:43PM -0400 References: <20020906155604.A15339@seekingfire.com> <20020906180753.R164-100000@x1-6-00-80-c8-3a-b8-46.kico2.on.cogeco.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Sep 06, 2002 at 06:09:43PM -0400, Dru wrote: > On Fri, 6 Sep 2002, Tillman Hodgson wrote: > > Absolutely. Here's the relevent sections of the config files: > > <snip> > > Out of curiosity, why is your IKE SA shorter than your IPSEC SA? (that > might be the problem). The IKE SA says how often the negotiated parameters > are valid and is usually fairly long, say 24 hours. The IPSEC SA states > how often the key changes which should be often, say every hour. > > HTH, > > Dru That's a very good point, and it would explain what the problem is. It sounds like the gateways are agreeing that everything is valid for X minutes, but they won't renegotiate until X+Y minutes ... when X expires, they're in a precarious state. I'll try change to IKE: 24 hours and SA: 2 minutes for testing and see how things go. Thanks, -T -- You can have peace. Or you can have freedom. Don't ever count on having both at once. Robert Heinlein To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020910203833.A4107>