[Openswan dev] XAUTH: Re-keying without re-authenticating?
Chris Poon
dev-null at telus.net
Sat Feb 26 23:44:57 CET 2005
> >>>>> "Chris" == Chris Poon <dev-null at telus.net> writes:
> Chris> on XAUTH, it has a suggestion about not needing to
> Chris> re-authenticate by sending a SET(STATUS=OK) MODECFG message.
>
> Does this actually occur?
>
It's hard to tell because I'm trying to reverse-engineer SecureClient.
There isn't enough debugging on the CheckPoint side to show what happens
when the re-keying occurs. We're running NG AI (R54) VPN Gateway and
Corporate policies dictate the use of SecurID. I doubt I can change
the re-key period on the VPN gateway.
>
> Chris> Currently, after the first authentication, there is no socket
> Chris> left to communicate with the end-user to prompt for
> Chris> username/password. When the re-key occurs, XAUTH failed
> Chris> because it has no socket to prompt again. Now getting rid of
> Chris> the re-authentication is only the first step - CheckPoint
> Chris> will force a re-authentication after a pre-determined period
> Chris> and my assumption is that it will do this but not doing an
> Chris> ACK(STATUS).
>
> My suggestion is:
> a) you need to have longer phase 1 lifetimes. 24 hours+
>
> b) you need to set the server and client to rekey=no.
> (or whatever the equivalent is on Checkpoint)
>
> c) you need to have your UI force the rekey using
> "ipsec whack --name foo --initiate"
>
b) sounds doable and c) is annoying. Let me try b) and see what happens.
More information about the Dev
mailing list