On Tue, 17 Apr 2007, Remigiusz Stachura wrote:
> My question is because of troubles with lost connection
(there is no
> route to windows server - I cannot successfully ping
the Windows host
> until I restart OpenSwan). Both of servers have static
IP. Only Linux
> sent files.
>
> For Windows 2003 server default settings are:
> IKE SA - master key lifetime: 8 hours,
> IPSEC SA - session key lifetime: 1 hour or 100 MB;
> For Openswan:
> IKE SA - master key lifetime: 1 hour, max 8 hours,
> IPSEC SA - session key lifetime: 8 hour, max 24 hours.
> Am I correct?
Yes. You can try and match the lifetimes using lifetime= and
ipseclifetime=
> I think that in case of using defaults settings I am
experiencing
> situation where Openswan has only Quick Mode
established without Main
> Mode.
"quick mode without main mode" is really what
people call "Rekeying".
> conn host-to-host
> type=transport
> authby=secret
> pfs=no
> rekey=yes
> failureshunt=passthrough
this is risky, you'll be leaking cleartext if your tunnel
goes down.
> keyingtries=5
> left=xx.xx.xx.xx
> right=yy.yy.yy.yy
> ikelifetime=8h
> keylife=1h
So swap these two i guess.
Check wether windows fails as Initiator on rekey, or as
Responder on
rekey, and then match the lifetimes to ensure it stays the
Initiator,
or the Responder.
Paul
_______________________________________________
Users openswan.org
http
://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with
Openswan:
http://www.amazon.com/gp/product/1904811
256/104-3099591-2946327?n=283155
|