Re: IPsec rekey question (bug in racoon?)
On Thu, Oct 04, 2001 at 02:21:50PM +0900, JINMEI Tatuya / ?$B?@L@C#:H?(B wrote: Please clarify, are you using automatic key negotiation (e.g. using IKE), or are you manually configuring the keys? The situation may differ according to the configuration. Manual keys. -Guido To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-net in the body of the message
Re: IPsec rekey question (bug in racoon?)
On Wed, Oct 03, 2001 at 01:00:15PM +0200, Guido van Rooij wrote: I am using Ipsec in tunnel mode. Everything works okay. Then I decide to flush my SAD entries, on _one_ side of the tunnel. Naturally, I see a key exchange going on. Afterwards I see that the system on which I flushed the SAD entries does have new ones. However the other side of the tunnel is still using the old one for its tunnel to me. I would guess that that SAD would be replaced as well? Why would it? The two simplex channels of a IPsec connection really have very little to do with each other. -- Crist J. Clark [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-net in the body of the message
Re: IPsec rekey question (bug in racoon?)
On Wed, Oct 03, 2001 at 01:22:35PM -0700, Crist J. Clark wrote: On Wed, Oct 03, 2001 at 01:00:15PM +0200, Guido van Rooij wrote: I am using Ipsec in tunnel mode. Everything works okay. Then I decide to flush my SAD entries, on _one_ side of the tunnel. Naturally, I see a key exchange going on. Afterwards I see that the system on which I flushed the SAD entries does have new ones. However the other side of the tunnel is still using the old one for its tunnel to me. I would guess that that SAD would be replaced as well? Why would it? The two simplex channels of a IPsec connection really have very little to do with each other. Why? Because if one system reboots, the key is gone so there is no way to decrypt the incoming traffic any more? -Guido To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-net in the body of the message
Re: IPsec rekey question (bug in racoon?)
On Wed, Oct 03, 2001 at 10:57:01PM +0200, Guido van Rooij wrote: On Wed, Oct 03, 2001 at 01:22:35PM -0700, Crist J. Clark wrote: On Wed, Oct 03, 2001 at 01:00:15PM +0200, Guido van Rooij wrote: I am using Ipsec in tunnel mode. Everything works okay. Then I decide to flush my SAD entries, on _one_ side of the tunnel. Naturally, I see a key exchange going on. Afterwards I see that the system on which I flushed the SAD entries does have new ones. However the other side of the tunnel is still using the old one for its tunnel to me. I would guess that that SAD would be replaced as well? Why would it? The two simplex channels of a IPsec connection really have very little to do with each other. Why? Because if one system reboots, the key is gone so there is no way to decrypt the incoming traffic any more? The key? What key? Again, each direction is independent from the other. Different keys will be used for each. The remote end doesn't care about the state of the machine that was reset. As far as its SAD is concerned nothing has changed. Therefore, no need to change the SPI. For a general discussion of the concept see RFC2401 Sec. 4 especially 4.1 and 4.4 (4.4.3). -- Crist J. Clark [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-net in the body of the message
Re: IPsec rekey question (bug in racoon?)
On Wed, 3 Oct 2001 22:57:01 +0200, Guido van Rooij [EMAIL PROTECTED] said: Why would it? The two simplex channels of a IPsec connection really have very little to do with each other. Why? Because if one system reboots, the key is gone so there is no way to decrypt the incoming traffic any more? Please clarify, are you using automatic key negotiation (e.g. using IKE), or are you manually configuring the keys? The situation may differ according to the configuration. JINMEI, Tatuya Communication Platform Lab. Corporate RD Center, Toshiba Corp. [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-net in the body of the message