Menu
▾
▴
Re: [Devil-Linux-discuss] IPSEC-Tools on Devil-Linux
|
From: Martin G. <sou...@gl...> - 2007-05-28 03:46:14
|
Michiel, Please keep us all posted as I too have observed this behavior and=20 couldn't find a solution. Martin Michiel Peene wrote: > Serge, > =20 > Thanks for the info! I don't know much about the setkey program, so I=20 > just told what the other IT support side said to me :-) > =20 > It's correct that the ipsec auto --status shows the current keys, and=20 > all is correct in here. > =20 > The citation you've sent is however very interesting. I'm currently=20 > trying it out changing the rekeymargin and rekeyfuzz, to make sure it's= =20 > our side that renegotiates each time. We'll see what it will do. > =20 > Thanks a lot! > Michiel >=20 >=20 > =20 > 2007/5/24, Serge Leschinsky <fi...@in...=20 > <mailto:fi...@in...>>: >=20 > Hi Michiel, >=20 > Michiel Peene wrote: > > Hi, > > > > Is there a build 1.3 available yet? can't seem to find it on the= > website? > 1.3 is still beta (or even alpha). >=20 > > > > Problem we have with current version of OpenSwan is that the Tun= nel > > works fine, until a new IKE key is renegotiated, then it apparen= tly > > times out, unless we delete the IKE key on the other side of the= > tunnel > > (Checkpoint FW1). It worked fine for over 3 years, but since 3 > months we > > have this problem. > > IT Support from the other side of the tunnel said I need to use > setkey > > -D to delete the IKE key on our side and to see what happens > then, but > > I don't find a way to do this with the current openswan debuggin= g > tools. >=20 > I'm not sure I understood you correct.... >=20 > man 8 setkey > -D Dump the SAD entries. If -P is also specified, the SPD= > entries are > dumped. If -p is specified, the ports are displayed. >=20 >=20 > I may be wrong, but 'ipsec auto --status' should show the same to > 'setkey -D'. >=20 > I guess this citation may be useful for you as well. > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > A more subtle type of error is one where initially things seem to > work but after > a while the system goes down. Which endpoint is responding and whic= h is > initiating is clear when you start the connection, but the > responding end might > just start the next rekey a little bit before the initiator, and > thus become the > initiator itself. You can try and trigger these kind of errors by > setting the > ikelifetime=3D, rekeyfuzz=3D, and lifetime=3D options to very short= > periods of time, > such as one minute, and waiting for a few rekeys to occur. >=20 > If you have determined that the switching of initiator and responde= r > at rekey > time is the problem, you can resolve this by lowering the IKE and > IPsec key > lifetimes on the initiator end, ensuring that the initiator stays > the initiator. > See the man page of ipsec.conf for help on the options lifetime=3D,= > ipseclifetime=3D > and rekeyfuzz=3D. If you are the responder, and do not control the > initiator, you > can also set rekey=3Dno to prevent becoming an initiator. After > changing these > parameters to fix these issues in the future, you will need to > reload the > currently stuck connection. If you want to be the responder, a simp= le > ipsec auto =96replace connname > will do. If you want to set yourself as the initiator, you will als= o > need to > ipsec auto =96up connname the connection. > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= >=20 > PS. I'm sure ipsec folks (openswan mail list) can help you more > professionally . >=20 > -- > Serge >=20 >=20 >=20 > -------------------------------------------------------------------= ------ >=20 > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > <mailto:Dev...@li...> > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >=20 >=20 >=20 > -----------------------------------------------------------------------= - >=20 > -----------------------------------------------------------------------= -- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ >=20 >=20 > -----------------------------------------------------------------------= - >=20 > _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss |
