[Openswan Users] Keying parameters

[Philip Mountifield]

Thanks Paul,

In our case the FreeS/WAN end is the only end which can bring up the 
tunnel as the communication must originate from this end to be allowed 
through a CDMA mobile network. When the re keying occurs, does this 
cover both directions of communication for the tunnel or just the 
direction which corresponds to the end which has had it's key expire?

Kind regards

Philip


Paul Wouters wrote:
> On Thu, 4 Dec 2008, Philip Mountifield wrote:
>
>> When negotiating parameters do the end of the vpn tunnel tell each other
>> what lifetime they have to the IKE ans IPsec SA?
>
> some implementations tell the other, but it is not part of the 
> negotiations.
> That is, both ends do not need to agree. Whoever finds that their 
> keylife is
> about to end, should do its own rekeying.
>
>> I have a openswan
>> server which is connecting to a freeswan (1.99) based router and the
>> router is initiating the connection but it seems to drop and recover as
>> if the timings are out of sync.
>
> FreeS/WAN used to refuse certain long keylifes. I believe 86400 was 
> its max.
>
> Paul


-- 

Philip Mountifield
Formac Electronics Ltd
tel  +44 (0) 1225 338176
fax  +44 (0) 1225 446094
pmountifield at formac.net
www.formac.net