[ previous ] [ next ] [ threads ]
 
 From:  John Auld <jxa at minervaplc dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] IPSec VPN Problem on Monowall 1.0
 Date:  Tue, 3 Aug 2004 11:46:14 +0100
I would expect problems if I set the lifetimes manually and I set different
lifetimes on the client and the server, so If I go the manual route, it
seems sensible to set the lifetimes the same on both ends.

However, I would expect that the key exchange protocols would be designed to
let both sides to negotiate settings that will work. However, the SA
lifetimes may require manual configuration.

If the process is manual, that is an administrative problem, because I am
manage a number of mobile users. if I change the settings on the server for
some reason, I would need to change the setting on each client. It would be
easier if I could leave the SA lifetimes unset on the client and let the
server tell the client what to use, but if I know that I need to do it
manually then that's OK.


All I really want is to get it to work reliably, to document how to
configure it and then to leave it alone!



-----Original Message-----
From: Thomas Hertz [mailto:term at cynisk dot net] 
Sent: 03 August 2004 11:26
To: m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] IPSec VPN Problem on Monowall 1.0


I find this statement quite strange, as the lifetimes are supposed to be
negotiated during phase 1. I do know that I've experienced problems when
letting racoon proposing lifetimes different than those of windows default.

// Thomas Hertz


> "It is your job to ensure both peers are configured with the same 
> lifetimes. If they are not, it is possible for the tunnel to be 
> established initially,
> but then cease to work when one of the mis-matched lifetime periods
> arrives".


---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
DISCLAIMER:This message is intended only for the use of the person(s) ("the
intended recipient(s)") to whom it is addressed. It may contain information
which is privileged, proprietary and/or confidential within the meaning of
applicable law. If you are not the intended recipient, be advised that you
have received this email in error and that any use, dissemination,
forwarding, printing or copying of this message (including any attachments)
is strictly prohibited. If you have received this message in error, please
contact the sender of this message as soon as possible. The views or
opinions expressed in this message are those of the author and may not
necessarily be the views held by Azurgroup Limited.