From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Thu Aug 15 2002 - 20:14:29 CEST
I recommend to set rekeying to 3 or 4 in order to avoid the endless
trials when FreeS/WAN does not receive a Delete SA notification.
I wonder why FreeS/WAN hasn't shut down the connection if SSH Sentinel
really sent the Delete Notify before disconnecting. I'm shutting down
Sentinel properly by selecting "Stop Policy Manager" before closing
down Windows.
Regards
Andreas
John A. Sullivan III wrote:
> After much preparation, we have finally started testing Free S/WAN in
> our labs. I was shocked when I came into the lab this morning to find
> that our first test gateway had been trying to renegotiate with the
> powered down test Road Warrior all through the night even though the
> Road Warrior (Sentinel) had been gracefully shutdown and should have
> closed all of its sessions. I am using Free S/WAN 1.98b with x.509
> 0.9.14 and notify_delete 020724.
> I like to keep our networks and systems very clean. I can see where in
> a large environment with hundreds of RAS users, this could generate
> significant log, CPU and network overhead. Perhaps rekeying=0 is not a
> good default after all! If one can't reconnect within a certain number
> of retries, something more serious is probably wrong. We have seen
> other products give up after between three (I think IRE but I'm not sure
> - it may have been five) and five (Sentinel) retries - John
-- ====================================================================== Andreas Steffen e-mail: andreas.steffen_at_strongsec.com strongSec GmbH phone: +41 76 340 25 56 Alter Zürichweg 20 home: http://www.strongsec.com CH-8952 Schlieren (Switzerland) ==========================================[strong internet security]==_______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.4 : Fri Aug 16 2002 - 00:19:44 CEST