CHartness at camgian
Oct 21, 2009, 10:19 AM
Views: 1819
Permalink
|
-----Original Message-----
From: vpnc-devel-bounces [at] unix-ag [mailto:vpnc-devel-bounces [at] unix-ag] On Behalf Of Dan Williams
Sent: Wednesday, October 21, 2009 12:02 PM
To: vpnc list to send bug reports and discussions with developers
Subject: Re: [vpnc-devel] VPNC 0.5.3 Phase II ReKeying
On Tue, 2009-10-20 at 09:28 -0500, Clark Hartness wrote:
> Greetings,
>
> Up front I am sorry for posting to the -devel group for this question
> but I find no user or admin group to post to....
>
> I downloaded and did a very straight forward:
>
> make
> make install
>
> with VPNC 0.5.3
>
> From what I can find on the groups I seem to be having issues Phase
> II ReKeying
>
> Grep From /var/log/messages
>
> Oct 20 07:29:01 cymsfw vpnc[2321]: unknown spi 0xaa8f5c79 from peer
> Oct 20 07:29:01 cymsfw vpnc[2321]: unknown spi 0xaa8f5c79 from peer
>
> Very Simple Conf File in place:
>
> [root [at] cymsf vpnc]# cat default.conf
> # SJC
> IPSec gateway <removed>
> IPSec ID <removed>
> IPSec obfuscated secret <removed>
> # your username goes here:
> Xauth username <removed>
> Xauth password <removed>
> # if you want to test rekeying specify nonzero seconds here:
> #Rekeying interval 7200
>
>
> If I uncomment the Rekeying interval 7200 in the conf file I get the error:
>
> vpnc: warning: unknown configuration directive in
> /etc/vpnc/default.conf at line 9
>
> I have a monitor script in place that reconnects the VPN on failure
> but I have some processes that are sensitive to the reconnect.
>
> Could someone point me to some documentation on how to configure the
> Phase II Rekeying to avoid this?
IIRC vpnc only supports the first rekeying interval, but does not support the second one which is usually 24 hours. I don't know if that second one is the 'phase II' or not.
'Rekeying interval' isn't needed because I believe vpnc is smart enough to figure that out automatically these days for the first (ISAKMP?) rekey. It used to be required in 0.3 or 0.4 right after the rekeying patch landed, but no longer is. As such, the option is not recognized in vpnc 0.5.x.
Dan
Thanks Dan
I have kinda figured that out as I have gone through this more and more I noticed a TODO to make Phase II Rekeying Work in the Man Page and Notes.
The server I am connecting to seems to be set on an 8 Hour Rekeying and every 8 hours the connection dies with an entry in the Syslog like:
Oct 20 07:29:01 cymsfw vpnc[2321]: unknown spi 0xaa8f5c79 from peer
This is a site to site connection and I have a script in place that tests if the connection is up and if not restarts it so about every 8 hours it hiccups like this....
Clark
_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/
|
