On Sat, Oct 06, 2001 at 12:53:52AM -0400, Claudia Schmeing wrote: > You write, > > - Can FreeSWAN be instructed to be passive in IKE connections? I.e. to have > > always the other peer send the first 500/udp packet? > > To do this, you need to initiate from the peer end, and then set the the > ikelifetime parameter to a smaller value than its equivalent on the > peer. This will likely pass negotiations. If it does, it can be used to > address asymmetrical problems such as this one, or asymmetrical (re)keying > failure.
The ikelifetime is set at one hour (the default): 000 "bonzow2k-bacchus": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 The example broke after 10.5 min as quoted below (it reproducably breaks after exactly that time): > Oct 4 08:52:55 bacchus Pluto[25223]: "bonzow2k-bacchus" #2: STATE_QUICK_R2: IPsec >SA established > [...] > Oct 4 09:03:25 bacchus Pluto[25223]: "bonzow2k-bacchus" #2: replacing stale IPsec SA > Oct 4 09:03:25 bacchus Pluto[25223]: some IKE message we sent has been rejected >with ECONNREFUSED (kernel supplied no details) > Oct 4 09:03:25 bacchus Pluto[25223]: extended network error info for message to >xxx.xx.xxx.xx port 500: compainant xxx.xx.xxx.xx, errno 111 Connection refused, >origin ICMP (not authenticated) 2, type 3, code 3 > [...] Regards, Axel. -- [EMAIL PROTECTED] _______________________________________________ Users mailing list [EMAIL PROTECTED] http://lists.freeswan.org/mailman/listinfo/users
