Dear misc@, Recently I've been playing around with creating some OpenBSD tunnels on a couple of firewalls I manage. My only problem with them is the very long reconnection timeout after a flush (with ipsecctl -F).
I've tried both active and dynamic modes, and they seem to act the same way. A sample config of a peer from ipsec.conf: > ike esp from $src to $dst \ > local $localip peer $remoteip \ > main auth hmac-sha1 enc 3des group modp1024 lifetime 86400 \ > quick auth hmac-sha1 enc 3des group modp1024 lifetime 3600 \ > psk "thepassword" After some googling I managed to find a site (http://www.richweb.com/book/export/html/182) which explains the long reconnection time with using long key lifetime expiry times. Is there a way to reduce the reconnection time, save for asking the other side of the tunnel to do a hard clear and reducing lifetimes? If not, are there any downsides to reducing the key lifetime? What would be a good value? -- with regards, Wiesław Kielas
