Date: Thu, 14 Oct 2010 20:06:23 +0200 From: Jerome Herman <jherman@dichotomia.fr> To: Erik Norgaard <norgaard@locolomo.org>, questions@FreeBSD.org Subject: Re: IPSec/racoon key time to live Message-ID: <4CB7469F.5020109@dichotomia.fr> In-Reply-To: <4CB71326.3030301@locolomo.org> References: <4CB71326.3030301@locolomo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Le 14/10/2010 16:26, Erik Norgaard a écrit : > Hi: > > I'm up against configuring a number of different systems with > host-host IPSec AH-only. The systems use different versions of racoon. > > Questions: > > - Must the key lifetime be the same in both ends? In theory both ends are supposed to negotiate and select the smallest lifetime between the hosts. Reality is quite different, there are as many implementations of IPSec as there are debices implementing it, or close. And connecting in IPSec with a Cisco or a Checkpoint can be quite tedious. My opinion : avoid unnecessary headaches : put the same lifetime on both ends. > - Can key lifetime be configured per host-host connection? Yes. Jerome Herman > > Thanks, Erik > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4CB7469F.5020109>