[Users] auto status shows -multiple Ipsec instances to the machine

Mon, 04 Aug 2003 01:48:42 -0700 

 I am  just curious why there would be mutliple
instances to the same machine(xeno). Is there any way
to eliminate this in order to reduce overhead for the
server(key exchange & encryption??).  uniqueids=yes
should work, but I am using specific IP for my xeno
config setup. 
   Also, I setup leftcert=MyCert.pem for my Freeswan
local server and rightcert=xeno.pem for remote
machine,which works fine.Is that in anyway cause any 
problesm & security issues?  It won't work when I omit
leftcert, but  shouldn't it use my default RSA
certificate in /etc/ipsec.secrets. 

Thanks in advance.

Kap--


config setup--

        # THIS SETTING MUST BE CORRECT or almost
nothing will work;
        # %defaultroute is okay for most simple cases.

        interfaces=%defaultroute
        # Debug-logging controls:  "none" for (almost)
none, "all" for lots.

        klipsdebug=none
        plutodebug=none

        # Use auto= parameters in conn descriptions to
control startup actions.
        plutoload=%search
        plutostart=%search


        # Close down old connection when new one 

using same ID shows up.
        uniqueids=yes

        # Enable NAT-Traversal
        #nat_traversal=yes


conn %default
        keyingtries=1
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        left=%defaultroute
        leftcert=MyCert.pem
        leftrsasigkey=%cert
        rightrsasigkey=%cert


conn xeno
        right=192.168.9.50
        rightcert=xeno.pem
        auto=add
        pfs=yes


Excerpt from  autuo status--

"xeno":   ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "xeno":   policy:
RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; interface: eth0;
erouted
000 "xeno":   newest ISAKMP SA: #0; newest IPsec SA:
#1009; eroute owner: #1009
000 "xeno":   IKE algorithms wanted: 5_000-1-5,
5_000-2-5, 5_000-1-2, 5_000-2-2, flags=-strict
000 "xeno":   IKE algorithms found:  5_192-1_128-5,
5_192-2_160-5, 5_192-1_128-2, 5_192-2_160-2,
000 "xeno":   ESP algorithms wanted: 3_000-1, 3_000-2,
flags=-strict
000 "xeno":   ESP algorithms loaded: 3_168-1_128,
3_168-2_160,
000 "xeno":   ESP algorithm newest: 3DES_0-HMAC_MD5;
pfsgroup=<Phase1>
000 #982: "xeno" STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 18475s
000 #982: "xeno" [EMAIL PROTECTED]
[EMAIL PROTECTED] [EMAIL PROTECTED]
[EMAIL PROTECTED]
000 #1009: "xeno" STATE_QUICK_R2 (IPsec SA
established); EVENT_SA_REPLACE in 861s; newest IPSEC;
eroute owner
000 #1009: "xeno" [EMAIL PROTECTED]
[EMAIL PROTECTED] [EMAIL PROTECTED]
[EMAIL PROTECTED]
000 #962: "xeno" STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 1383s
000 #962: "xeno" [EMAIL PROTECTED]
[EMAIL PROTECTED] [EMAIL PROTECTED]
[EMAIL PROTECTED]


__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com

Reply via email to