From: bert hubert <ahu@ds9a.nl>
To: kuznet@ms2.inr.ac.ru
Cc: "David S. Miller" <davem@redhat.com>,
gem@asplinux.ru, netdev@oss.sgi.com
Subject: Re: automatic keying works! Re: off by one error in 3des cbc keying
Date: Mon, 18 Nov 2002 22:25:15 +0100 [thread overview]
Message-ID: <20021118212515.GB23680@outpost.ds9a.nl> (raw)
In-Reply-To: <200211182032.XAA22666@sex.inr.ac.ru>
On Mon, Nov 18, 2002 at 11:32:12PM +0300, kuznet@ms2.inr.ac.ru wrote:
> Bert, could you help woth testing? The patch adds timeing out policies.
> To test this it is necessary to configure racoon on one end as "passive",
> in this case it should update policy on demand and delete them in time.
Works. This also needs 'generate_policy on;', by the way. Racoon does not
however log if a policy times out. It normally does not because the remote
racoon keeps renewing the SA, which also renews the SP.
If the remote recoon is STOPped, the passive side nicely times out the SP,
although it does not tell the user this.
Wonderful stuff, I'm starting to like racoon a bit better.
2002-11-18 22:18:15: INFO: isakmp.c:890:isakmp_ph1begin_r(): respond new
phase 1 negotiation: 10.0.0.11[500]<=>10.0.0.216[500]
2002-11-18 22:18:15: INFO: isakmp.c:895:isakmp_ph1begin_r(): begin
Aggressive mode.
2002-11-18 22:18:16: INFO: isakmp.c:2417:log_ph1established(): ISAKMP-SA
established 10.0.0.11[500]-10.0.0.216[500]
spi:d65a99e9df6d6eea:4e21da098172dfda
2002-11-18 22:18:16: INFO: isakmp.c:1045:isakmp_ph2begin_r(): respond new
phase 2 negotiation: 10.0.0.11[0]<=>10.0.0.216[0]
2002-11-18 22:18:16: INFO: isakmp_quick.c:2014:get_proposal_r(): no policy
found, try to generate the policy : 10.0.0.216/32[0] 10.0.0.11/32[0]
proto=any dir=in2002-11-18 22:18:16: INFO: pfkey.c:1106:pk_recvupdate():
IPsec-SA established: ESP/Transport 10.0.0.216->10.0.0.11
spi=230551900(0xdbdf15c)
2002-11-18 22:18:16: INFO: pfkey.c:1318:pk_recvadd(): IPsec-SA established:
ESP/Transport 10.0.0.11->10.0.0.216 spi=264801187(0xfc88ba3)
2002-11-18 22:19:52: INFO: pfkey.c:1364:pk_recvexpire(): IPsec-SA expired:
ESP/Transport 10.0.0.216->10.0.0.11 spi=230551900(0xdbdf15c)
2002-11-18 22:19:52: INFO: pfkey.c:1364:pk_recvexpire(): IPsec-SA expired:
ESP/Transport 10.0.0.11->10.0.0.216 spi=264801187(0xfc88ba3)
2002-11-18 22:19:52: INFO: isakmp.c:1045:isakmp_ph2begin_r(): respond new
phase 2 negotiation: 10.0.0.11[0]<=>10.0.0.216[0]
2002-11-18 22:19:52: INFO: isakmp_quick.c:2014:get_proposal_r(): no policy
found, try to generate the policy : 10.0.0.216/32[0] 10.0.0.11/32[0]
proto=any dir=in2002-11-18 22:19:52: INFO: pfkey.c:1106:pk_recvupdate():
IPsec-SA established: ESP/Transport 10.0.0.216->10.0.0.11
spi=127223206(0x79545a6)
2002-11-18 22:19:52: INFO: pfkey.c:1318:pk_recvadd(): IPsec-SA established:
ESP/Transport 10.0.0.11->10.0.0.216 spi=140990312(0x8675768)
2002-11-18 22:20:16: INFO: pfkey.c:1364:pk_recvexpire(): IPsec-SA expired:
ESP/Transport 10.0.0.216->10.0.0.11 spi=230551900(0xdbdf15c)
2002-11-18 22:20:16: INFO: pfkey.c:1364:pk_recvexpire(): IPsec-SA expired:
ESP/Transport 10.0.0.11->10.0.0.216 spi=264801187(0xfc88ba3)
--
http://www.PowerDNS.com Versatile DNS Software & Services
http://lartc.org Linux Advanced Routing & Traffic Control HOWTO
next prev parent reply other threads:[~2002-11-18 21:25 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20021110111507.GA31188@outpost.ds9a.nl>
[not found] ` <200211110151.EAA26095@sex.inr.ac.ru>
2002-11-11 10:01 ` off by one error in 3des cbc keying bert hubert
2002-11-11 11:41 ` bert hubert
2002-11-11 17:18 ` kuznet
2002-11-11 20:03 ` bert hubert
2002-11-11 21:35 ` kuznet
2002-11-11 21:51 ` bert hubert
2002-11-12 13:55 ` kuznet
2002-11-12 15:16 ` bert hubert
2002-11-12 15:29 ` kuznet
2002-11-12 19:06 ` bert hubert
2002-11-12 22:36 ` David S. Miller
2002-11-13 1:04 ` kuznet
2002-11-13 8:45 ` David S. Miller
2002-11-13 1:09 ` kuznet
2002-11-13 8:55 ` automatic keying works! " bert hubert
[not found] ` <200211132046.XAA12943@sex.inr.ac.ru>
2002-11-13 22:03 ` bert hubert
2002-11-13 22:35 ` kuznet
2002-11-18 19:56 ` bert hubert
2002-11-18 20:04 ` kuznet
2002-11-18 20:10 ` David S. Miller
2002-11-18 20:20 ` kuznet
2002-11-18 20:23 ` David S. Miller
2002-11-18 20:32 ` kuznet
2002-11-18 21:25 ` bert hubert [this message]
2002-11-18 23:17 ` David S. Miller
2002-11-18 20:22 ` bert hubert
2002-11-18 20:22 ` David S. Miller
2002-11-18 20:08 ` David S. Miller
2002-11-14 16:51 ` David S. Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20021118212515.GB23680@outpost.ds9a.nl \
--to=ahu@ds9a.nl \
--cc=davem@redhat.com \
--cc=gem@asplinux.ru \
--cc=kuznet@ms2.inr.ac.ru \
--cc=netdev@oss.sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).