From owner-freebsd-questions@FreeBSD.ORG  Thu Oct 14 18:22:18 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: questions@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id EFF5D106564A
	for <questions@FreeBSD.org>; Thu, 14 Oct 2010 18:22:18 +0000 (UTC)
	(envelope-from jherman@dichotomia.fr)
Received: from mail.dichotomia.fr (hydrogen.dichotomia.net [91.121.82.228])
	by mx1.freebsd.org (Postfix) with ESMTP id B7F548FC22
	for <questions@FreeBSD.org>; Thu, 14 Oct 2010 18:22:18 +0000 (UTC)
Received: from [192.168.0.22] (109.53-251-89.rdns.acropolistelecom.net
	[89.251.53.109]) (Authenticated sender: kha)
	by sslmail.dichotomia.fr (Postfix) with ESMTPSA id D178B3DD031;
	Thu, 14 Oct 2010 20:04:21 +0200 (CEST)
Message-ID: <4CB7469F.5020109@dichotomia.fr>
Date: Thu, 14 Oct 2010 20:06:23 +0200
From: Jerome Herman <jherman@dichotomia.fr>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US;
	rv:1.9.1.12) Gecko/20100915 Thunderbird/3.0.8
MIME-Version: 1.0
To: Erik Norgaard <norgaard@locolomo.org>, questions@FreeBSD.org
References: <4CB71326.3030301@locolomo.org>
In-Reply-To: <4CB71326.3030301@locolomo.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.5
	(sslmail.dichotomia.fr); Thu, 14 Oct 2010 20:04:22 +0200 (CEST)
Cc: 
Subject: Re: IPSec/racoon key time to live
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Oct 2010 18:22:19 -0000

Le 14/10/2010 16:26, Erik Norgaard a écrit :
> Hi:
>
> I'm up against configuring a number of different systems with 
> host-host IPSec AH-only. The systems use different versions of racoon.
>
> Questions:
>
> - Must the key lifetime be the same in both ends?

In theory both ends are supposed to negotiate and select the smallest 
lifetime between the hosts.
Reality is quite different, there are as many implementations of IPSec 
as there are debices implementing it, or close. And connecting in IPSec 
with a Cisco or a Checkpoint can be quite tedious. My opinion : avoid 
unnecessary headaches : put the same lifetime on both ends.

> - Can key lifetime be configured per host-host connection?
Yes.

Jerome Herman

>
> Thanks, Erik
>
>