[Users] Re: [NAT (iptables+freeswan)] Connection tracking for
500/udp
Axel Thimm
users@lists.freeswan.org
Sat, 6 Oct 2001 09:28:15 +0200
On Sat, Oct 06, 2001 at 12:53:52AM -0400, Claudia Schmeing wrote:
> You write,
> > - Can FreeSWAN be instructed to be passive in IKE connections? I.e. to have
> > always the other peer send the first 500/udp packet?
>
> To do this, you need to initiate from the peer end, and then set the the
> ikelifetime parameter to a smaller value than its equivalent on the
> peer. This will likely pass negotiations. If it does, it can be used to
> address asymmetrical problems such as this one, or asymmetrical (re)keying
> failure.
The ikelifetime is set at one hour (the default):
000 "bonzow2k-bacchus": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
The example broke after 10.5 min as quoted below (it reproducably breaks after
exactly that time):
> Oct 4 08:52:55 bacchus Pluto[25223]: "bonzow2k-bacchus" #2: STATE_QUICK_R2: IPsec SA established
> [...]
> Oct 4 09:03:25 bacchus Pluto[25223]: "bonzow2k-bacchus" #2: replacing stale IPsec SA
> Oct 4 09:03:25 bacchus Pluto[25223]: some IKE message we sent has been rejected with ECONNREFUSED (kernel supplied no details)
> Oct 4 09:03:25 bacchus Pluto[25223]: extended network error info for message to xxx.xx.xxx.xx port 500: compainant xxx.xx.xxx.xx, errno 111 Connection refused, origin ICMP (not authenticated) 2, type 3, code 3
> [...]
Regards, Axel.
--
Axel.Thimm+freeswan@physik.fu-berlin.de
_______________________________________________
Users mailing list
Users@lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users