[Openswan dev] XAUTH: Re-keying without re-authenticating?

Michael Richardson mcr at sandelman.ottawa.on.ca
Mon Feb 28 10:27:34 CET 2005


-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Chris" == Chris Poon <dev-null at telus.net> writes:
    >> My suggestion is: a) you need to have longer phase 1
    >> lifetimes. 24 hours+
    >> 
    >> b) you need to set the server and client to rekey=no.  (or
    >> whatever the equivalent is on Checkpoint)
    >> 
    >> c) you need to have your UI force the rekey using "ipsec whack
    >> --name foo --initiate"

    Chris> b) sounds doable and c) is annoying. Let me try b) and see
    Chris> what happens.

  Those weren't options. Those were things to do.
  a) make it less painful
  b) make sure that it doesn't happened without supervision
  c) supervise

- -- 
] Michael Richardson          Xelerance Corporation, Ottawa, ON |  firewalls  [
] mcr @ xelerance.com           Now doing IPsec training, see   |net architect[
] http://www.sandelman.ca/mcr/    www.xelerance.com/training/   |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQiM4ZYqHRg3pndX9AQF4tAP+MFuEfNFp4IYLKbSVA+abYOwFKUjgO/2I
jrk98yFty2Lv6XrIdXhRiB64ksYmCu+ctAI9wv+Yex4QbL+UYPfi3zjff8foTzGb
7TrzcPb/2NyhMz2KwlOhc5Lkcji2roGJ/E14WX90tiaYtPqbyUYJpKjW9xrlYyWQ
rusjMbiRnbQ=
=CuBA
-----END PGP SIGNATURE-----


More information about the Dev mailing list