Subject: Re: Problems with IPsec
To: Michael Richardson <>
From: Bill Studenmund <>
List: tech-net
Date: 04/12/2002 10:57:02
On Fri, 12 Apr 2002, Michael Richardson wrote:

>   Yes, that would be nice, I need it too!
>   The protocol doesn't have anything to do that. There are DOS concerns if
> done wrong.

I understand. Also, I can see there will be situations where no interum
fix will work.

>     Bill> ability when starting IKE to say we've rebooted, can't we use this in
>     Bill> cases where we don't necessrily want to initiate IKE but believe the other
>     Bill> side is confused?
>   Bill Sommerfeld's proposal is that a RSA signature is done on statement "I
> have booted X times" and this is installed into the kernel as the payload for
> an ICMP message for unknown SPI#s

He explained it, and it sounds good. But it's an IKEv2 thing.

>     Bill> I have three machines, one of which is a laptop that uses 802.11b. So I
>     Bill> have ESP transport mode going between it and the other two. I'm to the
>     Bill> point where about each time I reboot one of the machines (either the lap
>     Bill> top or the desktops), I have to log into each machine that didn't reboot
>     Bill> and run /etc/rc.d/ipsec reload to get functionality back.
>   Yeah...

Turns out this could well be a racoon bug. It used to be all I had to do
was have the rebooted machine ping the others, and the initial contact
code would take care of everything. But that doesn't work now. :-(

Take care,