From owner-freebsd-questions Tue Sep 10 20: 7:56 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C2FA037B401 for ; Tue, 10 Sep 2002 20:07:52 -0700 (PDT) Received: from mail.seekingfire.com (coyote.seekingfire.com [24.72.10.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4417C43E6A for ; Tue, 10 Sep 2002 20:07:52 -0700 (PDT) (envelope-from tillman@seekingfire.com) Received: from blues.seekingfire.prv (blues.seekingfire.prv [192.168.23.211]) by mail.seekingfire.com (Postfix) with ESMTP id 5DD99A6; Tue, 10 Sep 2002 20:41:14 -0600 (CST) Received: (from tillman@localhost) by blues.seekingfire.prv (8.11.6/8.11.6) id g8B2cXO04112; Tue, 10 Sep 2002 20:38:33 -0600 Date: Tue, 10 Sep 2002 20:38:33 -0600 From: Tillman Hodgson To: Dru Cc: Mike Tancsa , questions@FreeBSD.ORG Subject: Re: IPSEC & routing w/o gif Message-ID: <20020910203833.A4107@seekingfire.com> References: <20020906155604.A15339@seekingfire.com> <20020906180753.R164-100000@x1-6-00-80-c8-3a-b8-46.kico2.on.cogeco.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020906180753.R164-100000@x1-6-00-80-c8-3a-b8-46.kico2.on.cogeco.ca>; from dlavigne6@cogeco.ca on Fri, Sep 06, 2002 at 06:09:43PM -0400 X-Urban-Legend: There is lots of hidden information in headers Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Sep 06, 2002 at 06:09:43PM -0400, Dru wrote: > On Fri, 6 Sep 2002, Tillman Hodgson wrote: > > Absolutely. Here's the relevent sections of the config files: > > > > Out of curiosity, why is your IKE SA shorter than your IPSEC SA? (that > might be the problem). The IKE SA says how often the negotiated parameters > are valid and is usually fairly long, say 24 hours. The IPSEC SA states > how often the key changes which should be often, say every hour. > > HTH, > > Dru That's a very good point, and it would explain what the problem is. It sounds like the gateways are agreeing that everything is valid for X minutes, but they won't renegotiate until X+Y minutes ... when X expires, they're in a precarious state. I'll try change to IKE: 24 hours and SA: 2 minutes for testing and see how things go. Thanks, -T -- You can have peace. Or you can have freedom. Don't ever count on having both at once. Robert Heinlein To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message