Date: Fri, 6 Sep 2002 18:09:43 -0400 (EDT) From: Dru <dlavigne6@cogeco.ca> To: Tillman Hodgson <tillman@seekingfire.com> Cc: Mike Tancsa <mike@sentex.net>, <questions@FreeBSD.ORG> Subject: Re: IPSEC & routing w/o gif Message-ID: <20020906180753.R164-100000@x1-6-00-80-c8-3a-b8-46.kico2.on.cogeco.ca> In-Reply-To: <20020906155604.A15339@seekingfire.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 6 Sep 2002, Tillman Hodgson wrote: > On Fri, Sep 06, 2002 at 04:33:54PM -0400, Dru wrote: > > Hi Tillman, > > > > It is odd that there are 4 entries; you should only have 4 when using both > > ESP and AH as there should be one per direction per protocol (ESP or AH). > > How many SAs are on the FreeSwan box? > > > > Are you absoutely sure both lifetimes are the same on both boxes? I've > > been known to forget before that vendors sometimes think in seconds, minutes, > > or hours with very little consistency :) > > Absolutely. Here's the relevent sections of the config files: <snip> Out of curiosity, why is your IKE SA shorter than your IPSEC SA? (that might be the problem). The IKE SA says how often the negotiated parameters are valid and is usually fairly long, say 24 hours. The IPSEC SA states how often the key changes which should be often, say every hour. HTH, Dru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020906180753.R164-100000>