Date: Sat, 9 Mar 2002 00:55:02 -0500 From: "Martin Gignac" <freebsd@mobilitylab.net> To: freebsd-questions@freebsd.org Subject: IPSec, IKE and reboot question... Message-ID: <20020309005502.M82821@mobilitylab.net>
next in thread | raw e-mail | index | archive | help
Hi, I've installed and configured the racoon port on two FreeBSD 4.4 systems and have set-up an ESP transport-mode IPSec security policy and security association between them. All traffic from one to the other is automatically encrypted. IKE works fine and I have set-up the machines to run racoon and configure setkey on boot-up in /etc/rc.local and /etc/rc.conf respectively. Now my problem is that when _one_ of the servers reboots, it can't set-up a new SA with the other server because the "old" SP and SA on the other server refuse to recognize the unencrypted traffic generated by the rebooted server's wish to exchange key information on UDP port 500. The rebooted server always ends up having to wait for the other server's SA to expire (it is set to 3600 seconds on both) so that the latter can "drop its guard" and accept unencrypted traffic from the rebooted server to perform the key exchange. Short of reducing the key lifetime to a smaller value, is there another way to allow for a prompt and proper key exchange between the two servers after one of them reboots? Thanks, -Martin -- Open WebMail Project (http://openwebmail.org) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020309005502.M82821>