Menu
▾
▴
Re: [Ipsec-tools-devel] lifetime byte
|
From: VANHULLEBUS Y. <va...@fr...> - 2012-11-27 10:30:21
|
On Thu, Nov 22, 2012 at 06:12:24PM +0100, Oliver Loch wrote: > Hi, Hi. > I run two racoon daemons to establish a tunnel between to subnets. I > set the "proposal_check" option to "exact" on both sites. If the > system now tries to establish the tunnel, I get an error that the > lifetime byte in the porposal does not match. Local it's set to "0" > and on the remote to uint32_max. > > I checked the man page and found the option "lifetime byte xxx > [K|M|G|T]B". Set it on both sites and now both sites error out with: > > ERROR: /etc/racoon/racoon.conf:30: "B" byte lifetime support is deprecated > > So how do I solve this issue to be able to use "exact" in the > "proposal_check" option? Just remove the lifetime byte line from both your config files.... Such lifetime have been deprecated a while ago, mainly because it generate more problems than it solves: you can have a SA expiring because of lifetime byte, but the SA on the other way is still alive (should we renegociate both SAs ?), you can have traffic loss on the way, so this counter won't have the same value on both peers, etc... Yvan. |