RE: Problem with dead CIPE link|
"Mark Smith" <mark.smith,AT,avcosystems,DOT,co,DOT,uk>|
Thu, 5 Jun 2003 15:00:52 +0100|
> I wonder if the author(s) can shed some light on this topic.
I'm not sure if Olaf has the time to read every message sent to the list, I
hope he's still in good health...
I can offer something I believe I read a while back, which is that the key
exchange attempts to use the last known key, and when that fails, perhaps
after 3 retries, a key exchange is then attempted using the original static
key. If that succeeds, the link restarts. I'm fairly sure that cipe itself
is capable of surviving carrier problems, but whether it can survive only
one end restarting is a question I don't know the answer to. I'd hope it
could for exactly the reason that many other people would expect it to - so
that it would operate as an unattended system.
I may be wrong, this may have been someone's suggestion to try to fix a
problem. Perhaps someone with knowledge of the key exchange could provide
Mark Smith - Avco Systems Ltd
Tel: +44 (0)1784 430996 Fax: +44 (0)1784 431078
> -----Original Message-----
> From: owner-cipe-l,AT,inka,DOT,de [mailto:owner-cipe-l,AT,inka,DOT,de
> Behalf Of
> Alessandro Baretta
> Sent: 05 June 2003 14:34
> To: Les Mikesell; cipe-l,AT,inka,DOT,de
> Subject: Re: Problem with dead CIPE link
> Les Mikesell wrote:
> > On Thu, 2003-06-05 at 06:09, Alessandro Baretta wrote:
> >>>I've always wanted mine to retry forever, although if the
> >>I've tried it, but it is unfeasible, AFAICT. If one side of
> >>the VPN goes down, even you restart it (manually or
> >>otherwise) it will have forgotten the key and won't be able
> >>to authenticate itself with the surviving peer.
> > Mine will reconnect by itself, and probably does it better
> > than any external mechanism. I'm running the 1.4.5 version
> That's curious. I've been working with the latest release
> (1.5.4). In my case, in one side goes down it is unable to
> reconnect unless the other side is restarted too. For this
> reason I stated that "it is unfeasible, AFAICT".
> > that comes with RedHat and have been reluctant to update
> > because it has been so robust. I have a central machine that
> > has about a dozen instances started with different options
> > files and it stays up for many months at a time while the
> > remote ends go through all the typical internet connectivity
> > issues and are rebooted/replaced periodically. I never have
> > to do anything special to make it reconnect after an outage.
> > But, this is cipe, not pkcipe.
> Message sent by the cipe-l,AT,inka,DOT,de mailing list.
> Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body
> Other commands available with "help" in body to the same address.
> CIPE info and list archive: