[Openswan dev] XAUTH: Re-keying without re-authenticating?

mcr at xelerance.com mcr at xelerance.com
Fri Feb 25 22:08:21 CET 2005


-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Chris" == Chris Poon <dev-null at telus.net> writes:
    Chris> on XAUTH, it has a suggestion about not needing to
    Chris> re-authenticate by sending a SET(STATUS=OK) MODECFG message.

  Does this actually occur?

    Chris> Currently, after the first authentication, there is no socket
    Chris> left to communicate with the end-user to prompt for
    Chris> username/password. When the re-key occurs, XAUTH failed
    Chris> because it has no socket to prompt again. Now getting rid of
    Chris> the re-authentication is only the first step - CheckPoint
    Chris> will force a re-authentication after a pre-determined period
    Chris> and my assumption is that it will do this but not doing an
    Chris> ACK(STATUS).

  My suggestion is:
     a) you need to have longer phase 1 lifetimes. 24 hours+

     b) you need to set the server and client to rekey=no.
	(or whatever the equivalent is on Checkpoint)

     c) you need to have your UI force the rekey using 
	"ipsec whack --name foo --initiate"

  Now, --initiate will just rekey the phase 2 right now.
  We can probably add something to either:
     a) rekey phase 1 and phase 2.
     b) rekey phase 1 if we are within 10% of rekey interval.

    Chris> Any help would be greatly appreciated and please CC me as I
    Chris> don't have a subscription to this list.

  Please tell us more about your environment.

- -- 
] Michael Richardson          Xelerance Corporation, Ottawa, ON |  firewalls  [
] mcr @ xelerance.com           Now doing IPsec training, see   |net architect[
] http://www.sandelman.ca/mcr/    www.xelerance.com/training/   |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQh/oHoqHRg3pndX9AQF6RQQAnKrOLyizo/mcZUQX/ncjmwjaEIxVxVHX
W00OQdTrpJQ86DeSwHyDXhLzc+n9jecGJmyGcqdIDqq+tL/w4KUFnCbsFHoQ1are
+g3sv24AWyySV08yGjqE5e3phhgWEeeE93Yil/YjnVAMlgtFMANDz3Rr01ceSipV
5X9KbU8z8xE=
=5xPN
-----END PGP SIGNATURE-----


More information about the Dev mailing list