[Openswan Users] best cofig for Windows 2003
Paul Wouters
paul at xelerance.com
Tue Apr 17 22:24:05 EDT 2007
On Tue, 17 Apr 2007, Remigiusz Stachura wrote:
> My question is because of troubles with lost connection (there is no
> route to windows server - I cannot successfully ping the Windows host
> until I restart OpenSwan). Both of servers have static IP. Only Linux
> sent files.
>
> For Windows 2003 server default settings are:
> IKE SA - master key lifetime: 8 hours,
> IPSEC SA - session key lifetime: 1 hour or 100 MB;
> For Openswan:
> IKE SA - master key lifetime: 1 hour, max 8 hours,
> IPSEC SA - session key lifetime: 8 hour, max 24 hours.
> Am I correct?
Yes. You can try and match the lifetimes using lifetime= and ipseclifetime=
> I think that in case of using defaults settings I am experiencing
> situation where Openswan has only Quick Mode established without Main
> Mode.
"quick mode without main mode" is really what people call "Rekeying".
> conn host-to-host
> type=transport
> authby=secret
> pfs=no
> rekey=yes
> failureshunt=passthrough
this is risky, you'll be leaking cleartext if your tunnel goes down.
> keyingtries=5
> left=xx.xx.xx.xx
> right=yy.yy.yy.yy
> ikelifetime=8h
> keylife=1h
So swap these two i guess.
Check wether windows fails as Initiator on rekey, or as Responder on
rekey, and then match the lifetimes to ensure it stays the Initiator,
or the Responder.
Paul
More information about the Users
mailing list