[Openswan dev] XAUTH: Re-keying without re-authenticating?

Chris Poon dev-null at telus.net
Sat Feb 26 23:44:57 CET 2005

> >>>>> "Chris" == Chris Poon <dev-null at telus.net> writes:
>     Chris> on XAUTH, it has a suggestion about not needing to
>     Chris> re-authenticate by sending a SET(STATUS=OK) MODECFG message.
>   Does this actually occur?
It's hard to tell because I'm trying to reverse-engineer SecureClient.
There isn't enough debugging on the CheckPoint side to show what happens
when the re-keying occurs. We're running NG AI (R54) VPN Gateway and
Corporate policies dictate the use of SecurID. I doubt I can change
the re-key period on the VPN gateway.

>     Chris> Currently, after the first authentication, there is no socket
>     Chris> left to communicate with the end-user to prompt for
>     Chris> username/password. When the re-key occurs, XAUTH failed
>     Chris> because it has no socket to prompt again. Now getting rid of
>     Chris> the re-authentication is only the first step - CheckPoint
>     Chris> will force a re-authentication after a pre-determined period
>     Chris> and my assumption is that it will do this but not doing an
>     Chris> ACK(STATUS).
>   My suggestion is:
>      a) you need to have longer phase 1 lifetimes. 24 hours+
>      b) you need to set the server and client to rekey=no.
> 	(or whatever the equivalent is on Checkpoint)
>      c) you need to have your UI force the rekey using 
> 	"ipsec whack --name foo --initiate"
b) sounds doable and c) is annoying. Let me try b) and see what happens.

More information about the Dev mailing list