[ previous ] [ next ] [ threads ]
 From:  John Auld <jxa at minervaplc dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] IPSec VPN Problem on Monowall 1.0
 Date:  Tue, 3 Aug 2004 10:48:45 +0100
When I reported the problem with racoon causing problems, by not cleaning up
stale SAD's and SPD's, I had set the timeout on the phase 1 and 2 IPSec
options to 5 minutes.

I have tried leaving the lifetime field unset and this seems to avoid the
problem with IPSec clients being unable to re-connect. I am not yet
convinced that this has fixed the problem, but it seems to be fixed or to
occur less often when the lifetime on phase 1 and 2 is unset.

If a lifetime is set, the keys used to encrypt the traffic are changed once
per lifetime, and it is necessary for both the client and the server to use
the same settings, so that both change keys at the correct time. On the
SafeNet SoftremoteLT client, I have left the timeouts unset and I have
presumed that the client will detect the key changes. Perhaps it is
necessary to manually ensure that the phase 1 and 2 lifetimes are entered
correctly on both the client and the server - otherwise the connection will
cease working.

Perhaps the problems I have had were caused by setting a lieftime on the
server for phase 1 and 2, without setting a lifetime on the client.

Does anyone know if the IPSec protocols include some communication between
the server and the client to instruct the client to change keys at the
expiration of the SA lifetime?
DISCLAIMER:This message is intended only for the use of the person(s) ("the
intended recipient(s)") to whom it is addressed. It may contain information
which is privileged, proprietary and/or confidential within the meaning of
applicable law. If you are not the intended recipient, be advised that you
have received this email in error and that any use, dissemination,
forwarding, printing or copying of this message (including any attachments)
is strictly prohibited. If you have received this message in error, please
contact the sender of this message as soon as possible. The views or
opinions expressed in this message are those of the author and may not
necessarily be the views held by Azurgroup Limited.