Hosting Provided By

Re: linux-ipsec: replay and manual setup

From: Henry Spencer <henry(at)spsystems.net>
Date: Fri Oct 30 1998 - 09:31:09 EST

> i have a maunal keyring configuration.
> when i shutdown one gateway alpha und started it after short time, the
> other gateway b drops the packets.
> debug says: duplicate frame from 192.168.0.2 (alpha), packet dropped
> i had to restart the ipsec-setup manual at the gateway b. somethimes
> both.

Are you using replay protection? If so, note that you *cannot* restart just one side of a replay-protected connection, in general, because there is no way to get the packet counter set properly. This is a fundamental limitation of the way IPSEC does replay protection, not a quirk of the FreeS/WAN implementation.

This is why replay protection defaults to "off" for manual keying. The only way to make replay protection work well in the presence of restarts is to use automatic key negotiation, so that a fresh connection can be negotiated after each restart.

                                                          Henry Spencer
                                                       henry@spsystems.net
                                                     (henry@zoo.toronto.edu)

Received on Fri Oct 30 10:29:22 1998

This message: [ Message body ]
Next message: Richard Guy Briggs: "Re: linux-ipsec: freeswan-0.90 works, then hangs"
Previous message: Christian Kagerhuber: "Re: linux-ipsec: replay and manual setup"
In reply to: Christian Kagerhuber: "linux-ipsec: replay and manual setup"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 12:59:04 EDT