[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

(racoon 97) RE: racoon failing to re-establish SA

To: <racoon@kame.net>
Subject: (racoon 97) RE: racoon failing to re-establish SA
From: "Lucky Green" <shamrock@cypherpunks.to>
Date: Tue, 13 May 2003 01:08:48 -0700
Delivered-to: racoon-archive@kame.net
Delivered-to: racoon-outgoing@kame.net
Delivered-to: racoon@kame.net
Importance: Normal
In-reply-to: <20030513074630.GA22671@zen.inc>
Reply-to: racoon@kame.net
Sender: owner-racoon@kame.net

VANHULLEBUS Yvan wrote:
> You have phase1 lifetime of 10 minuts on "local", but 1 minut 
> on "remote", so when you have to renegociate phase2, local 
> uses the SAME Isakmp-SA used for the first negociation, but 
> remote considers this SA as dead.
> 
> You may specify the proposal_check parameter for phases1 (I 
> don't know the default value for your racoon versions), 
> and/or adjust the phase1 lifetime to be the same on both peers....

Looking at my racoon.conf file, the default for proposal_check is
"obey". Which level setting would prevent this problem from occurring no
matter which side has been configured for a shorter lifetime?

> And this is not directly related to your problem, but you may 
> increase your phase1/2 lifetimes, I think 10/2 minuts is a 
> very short life duration, at least when using "good" algorithms....

Understood. I deliberately had chosen relatively short values for
testing to be able to watch the IKE negotiations.

Thanks in advance,
--Lucky

References:
- (racoon 96) Re: racoon failing to re-establish SA
  - From: VANHULLEBUS Yvan <vanhu@free.fr>

Prev by Date: (racoon 96) Re: racoon failing to re-establish SA
Next by Date: (racoon 98) Update: Racoon RFC compliance patch
Previous by thread: (racoon 96) Re: racoon failing to re-establish SA
Next by thread: (racoon 98) Update: Racoon RFC compliance patch
Index(es):
- Date
- Thread