Subject: Re: Problems with IPsec
To: Michael Richardson <firstname.lastname@example.org>
From: Bill Studenmund <email@example.com>
Date: 04/12/2002 10:57:02
On Fri, 12 Apr 2002, Michael Richardson wrote:
> Yes, that would be nice, I need it too!
> The protocol doesn't have anything to do that. There are DOS concerns if
> done wrong.
I understand. Also, I can see there will be situations where no interum
fix will work.
> Bill> ability when starting IKE to say we've rebooted, can't we use this in
> Bill> cases where we don't necessrily want to initiate IKE but believe the other
> Bill> side is confused?
> Bill Sommerfeld's proposal is that a RSA signature is done on statement "I
> have booted X times" and this is installed into the kernel as the payload for
> an ICMP message for unknown SPI#s
He explained it, and it sounds good. But it's an IKEv2 thing.
> Bill> I have three machines, one of which is a laptop that uses 802.11b. So I
> Bill> have ESP transport mode going between it and the other two. I'm to the
> Bill> point where about each time I reboot one of the machines (either the lap
> Bill> top or the desktops), I have to log into each machine that didn't reboot
> Bill> and run /etc/rc.d/ipsec reload to get functionality back.
Turns out this could well be a racoon bug. It used to be all I had to do
was have the rebooted machine ping the others, and the initial contact
code would take care of everything. But that doesn't work now. :-(