[ previous ] [ next ] [ threads ]
 
 From:  John Auld <jxa at minervaplc dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] IPSec VPN Problem on Monowall 1.0
 Date:  Tue, 3 Aug 2004 10:55:57 +0100
From http://www.onlamp.com/lpt/a/3009

"It is your job to ensure both peers are configured with the same lifetimes.
If they are not, it is possible for the tunnel to be established initially,
but then cease to work when one of the mis-matched lifetime periods
arrives".

I would still be grateful if anyone can answer the question in my post
below. Is the setting of SA lifetimes on the client and the server a totally
manual process - or can you safely leave it unset on the client and rely on
the client detecting the expiration of a SA lifetime?


-----Original Message-----
From: John Auld [mailto:jxa at minervaplc dot com] 
Sent: 03 August 2004 10:49
To: m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] IPSec VPN Problem on Monowall 1.0


When I reported the problem with racoon causing problems, by not cleaning up
stale SAD's and SPD's, I had set the timeout on the phase 1 and 2 IPSec
options to 5 minutes.

I have tried leaving the lifetime field unset and this seems to avoid the
problem with IPSec clients being unable to re-connect. I am not yet
convinced that this has fixed the problem, but it seems to be fixed or to
occur less often when the lifetime on phase 1 and 2 is unset.


If a lifetime is set, the keys used to encrypt the traffic are changed once
per lifetime, and it is necessary for both the client and the server to use
the same settings, so that both change keys at the correct time. On the
SafeNet SoftremoteLT client, I have left the timeouts unset and I have
presumed that the client will detect the key changes. Perhaps it is
necessary to manually ensure that the phase 1 and 2 lifetimes are entered
correctly on both the client and the server - otherwise the connection will
cease working.

Perhaps the problems I have had were caused by setting a lieftime on the
server for phase 1 and 2, without setting a lifetime on the client.
DISCLAIMER:This message is intended only for the use of the person(s) ("the
intended recipient(s)") to whom it is addressed. It may contain information
which is privileged, proprietary and/or confidential within the meaning of
applicable law. If you are not the intended recipient, be advised that you
have received this email in error and that any use, dissemination,
forwarding, printing or copying of this message (including any attachments)
is strictly prohibited. If you have received this message in error, please
contact the sender of this message as soon as possible. The views or
opinions expressed in this message are those of the author and may not
necessarily be the views held by Azurgroup Limited.