Re: Racoon not synchronizing keys? (was: none)
From: Barry Irwin (bvi@itouchlabs.com)
Date: 05/22/02
- Next message: Stephanie Wehner: "getgpid & getsid work from within a jail"
- Previous message: Jacques A. Vidrine: "Re: FreeBSD Security Advisory FreeBSD-SA-02:25.bzip2"
- In reply to: Thomas Fritz: "Racoon not synchronizing keys? (was: none)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 22 May 2002 14:46:12 +0200 From: Barry Irwin <bvi@itouchlabs.com> To: Thomas Fritz <tf@slash10.com>
The short, but not quite so perfect answer, is to adjust the lifeimes in
your racoon.conf. There are two lifetimes, the IKE lifetime which can be
kept short ( like 60 seconds) as this is only used for covering the
negotiation of keys for the IPSEC SA's. The IPSEC SA is the second
lifetime, the suggestions are that this should be kept fairly short, as each
time the keys are changed, it reduces the window of opportunity that an
intruder has to view your data. However, by keeping thse short as well, you
would have to wait on average n/2 time units for the IPSEC SA to expire, and
to be re-negotaited.
One thing I have seen is the explicit KEY_EXPIRE message in the racoon debug
logs. Would be nice to know how to send these explicity :-)
Okay, not as helpful as I intended, but worth voicing anyway.
Barry
On Wed 2002-05-22 (10:51), Thomas Fritz wrote:
> Hi again!
>
> Forgot the subject the first time...
>
> I already got an answer to my question, which stated,
> that I should use manual keys instead.
>
> But that's not an option for me.
>
> Is there really no other solution?
>
> Thanks
> /tom
>
>
> >Hi there!
> >
> >On the URL http://www.onlamp.com/pub/a/bsd/2001/12/10/ipsec.html I found
> >this warning below:
> >
> >One other word of warning -- if you reboot one of the hosts, and suddenly
> >have connectivity problems, flush the keys on both machines by running
> >setkey -F. It's possible for the keys to get out of sync.
> >
> >
> >Is there any way to overcome this problem without flushing the keys by hand?
> >
> >
> >Thanks in advance
> >
> >/tom
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
>
-- Barry Irwin bvi@itouchlabs.com +27214875177 Systems Administrator: Networks And Security Itouch Labs http://www.itouchlabs.com South Africa To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
- Next message: Stephanie Wehner: "getgpid & getsid work from within a jail"
- Previous message: Jacques A. Vidrine: "Re: FreeBSD Security Advisory FreeBSD-SA-02:25.bzip2"
- In reply to: Thomas Fritz: "Racoon not synchronizing keys? (was: none)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
