Racoon SA Hard/Soft Lifetimes

From: Jerry Murdock (jerry_murdock@yahoo.com)
Date: 05/16/02

Date: Wed, 15 May 2002 21:02:14 -0700 (PDT)
From: Jerry Murdock <jerry_murdock@yahoo.com>
To: FreeBSD-Security@FreeBSD.org

Is the Soft lifetime limit configurable for Racoon generated SA's? I've
googled around, but can't find anything on this.

I've successfully got a 2day old -Stable build to talk IPSEC/IKE with a
Sonicwall, but things fall apart when the SAs hit the soft lifetime limit.

A new SA is successfully negotiated with the Sonicwall when the soft lifetime
runs out, but the Sonicwall then ignores anything coming into it on the "old"
SA(which FBSD uses until the hard lifetime runs out).

The result that no traffic passes for 20% of the SA's lifetime.

I need FBSD to either switch immediately to the new SA, or bump the Soft
lifetime limit up to the hard lifetime. A few seconds of dropped packets every
4 hours of so can be tolerated.

I hope I'm being dense and someone will tell me what I'm missing.


Do You Yahoo!?
LAUNCH - Your Yahoo! Music Experience

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message