freebsd security - Aug 2003 - IPSec delays

I've been using IPSec and racoon alot lately creating tunnels between
FreeBSD machines.  Everything works as it should once I've got it running. 
I do however seem to get delays when one, or both ends of the tunnel drop or are
rebooted.  On reboot, once the machine starts racoon, it takes two or three
minutes for the tunnel to come back up.  If I stop and restart racoon, it takes
only 60 seconds.  I'd prefer to cut this time down on both to 30 seconds or
less.  Below is my racoon.conf.  I've watched the racoon logs, and it
doesn't give me any errors, or failed negotiations.  Any ideas?

path pre_shared_key "/usr/local/etc/racoon/psk.txt";

remote anonymous
{

        exchange_mode aggressive;
        doi ipsec_doi;
        situation identity_only;

\

        nonce_size 256;
        lifetime time 30 min;   # sec,min,hour
        initial_contact on;
        support_mip6 off;
        proposal_check obey;    # obey, strict or claim

        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key ;
                dh_group 2 ;
        }
}

sainfo anonymous
{
        pfs_group 1;
        lifetime time 30 min;
        encryption_algorithm 3des ;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate ;
}


Kevin Glick
glitch@ridiculum.woohaw.com

On Thursday, 2003-08-07 at 17:45:56 -0700, Kevin Glick
wrote:
> I've been using IPSec and racoon alot lately creating tunnels between
FreeBSD machines.  Everything works as it should once I've got it running. 
I do however seem to get delays when one, or both ends of the tunnel drop or are
rebooted.  On reboot, once the machine starts racoon, it takes two or three
minutes for the tunnel to come back up.  If I stop and restart racoon, it takes
only 60 seconds.  I'd prefer to cut this time down on both to 30 seconds or
less.  Below is my racoon.conf.  I've watched the racoon logs, and it
doesn't give me any errors, or failed negotiations.  Any ideas?
I had something like this with a Racoon/FreeS/WAN setup. I found out
that the algorithms did no match, and the tunnel would only be built
from the Racoon side. Seems FreeS/WAN was set up to accept a wider range
of algorithms than Racoon. I have to confess I did not understand if you
can specify more than one algorithm to Racoon.

Switch on debugging and look for rejected connection attempts.

HTH,
Lupe Christoph
-- 
| lupe@lupe-christoph.de       |           http://www.lupe-christoph.de/ |
| "Violence is the resort of the violent" Lu Tze                      
|
| "Thief of Time", Terry Pratchett                                    
|