Re: [Users] Disconnection during rekeying

From: Arsen Drambyan (Arsen.Drambyan_at_epygilab.am)
Date: Mon Oct 21 2002 - 12:28:19 CEST

• Next message: Nerv Mich: "Re: [Users] FreeS/WAN usable by non-root accounts"
• Previous message: Michael: "[Users] Tunnel stops working"
• In reply to: Sam Sgro: "Re: [Users] Disconnection during rekeying"
• Next in thread: Andreas Steffen: "Re: [Users] Disconnection during rekeying"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Oh, thanks, I know about rekeymargin, and that the default is 9m,
and the actual rekeying (again by default) happens 9 to 18 minutes
before expiration (because of rekeyfuzz=100%)...
But when the new connection just replaces the current one, and assume
I have a heavy traffic there will I have some IP packet loss? I know
that for example TCP will definitely resend the packet, and noone
will know of a single IP packet loss, but anyway I wanted to know...
Is it definitely impossible? Or it's theoretically possible, but
non-considerably small?

And I would like to know your opinion about is rekeying a heavy
operation? (Because my VPN runs on quite weak hardware... )
For example if I have:
ikelifetime=15m
rekeymargin=3m
rekeyfuzz=50%
what kind of a traffic "clutter" is there?
And what about the other rekeying stuff? Short term key generation,
etc... is that much resource consuming ?

Thanks and best regards,
Arsen Drambyan
Epygi Labs AM

----- Original Message -----
From: "Sam Sgro" <sam_at_freeswan.org>
To: "Corey Rogers" <corey_at_wamcodm.com>
Cc: "Arsen Drambyan" <Arsen.Drambyan_at_epygilab.am>;
<users_at_lists.freeswan.org>
Sent: Saturday, October 19, 2002 11:57 AM
Subject: Re: [Users] Disconnection during rekeying

> -----BEGIN PGP SIGNED MESSAGE-----
>
>
> On 18 Oct 2002, Corey Rogers wrote:
>
> > I'm not sure if there is but they are the rekey parameters that are used
> > in ipsec.conf. These cause the negotiation of new keys (when using
> > autokeys) at a specified time before the keys in use are expired
> > eliminating the delay of creating new kays.
>
> For the curious, here is the relevant section from ipsec.conf:
>
> rekeymargin how long before connection expiry or keying-channel
> expiry should attempts to negotiate a replacement
begin;
> acceptable values as for keylife (default 9m).
Relevant
> only locally, other end need not agree on it.
>
> So, a 9 minute margin is present by default.
>
> - --
> Sam Sgro
> sam_at_freeswan.org
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.3ia
> Charset: noconv
> Comment: For the matching public key, finger the Reply-To: address.
>
> iQCVAwUBPbEQe0OSC4btEQUtAQHeZwQAkQWUStqBXmkEqEeUakaYQ6Wf4Cf8tRiX
> CyeM11tgSl1wbZ9/GcxmtOn8TAjcntqZ3q4iGG5/v7gLtMoaJ+dyKJSwhJ4ubqV1
> Mm74VjZwbtI1mbxa0ByOZ3MNxZLTZLC1AW/s6eaz1TeujeU8tV8LdgCNHfeDOynV
> W+BVyJd2cmk=
> =rcOt
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users
>
>

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Nerv Mich: "Re: [Users] FreeS/WAN usable by non-root accounts"
• Previous message: Michael: "[Users] Tunnel stops working"
• In reply to: Sam Sgro: "Re: [Users] Disconnection during rekeying"
• Next in thread: Andreas Steffen: "Re: [Users] Disconnection during rekeying"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Tue Oct 22 2002 - 05:20:31 CEST