ipsec session key renegotiation

[Guest]

Hi all,

Now that I have (thanks to Steven L Umbach) the ipsec connection to
work
on the XP machines I face a new problem.
Let's say A and B have a ipsec (not tunnel) connection. When A is
restarted
B cannot connect anymore, it has a session key that A is not aware of.
Can ipsec be configured in such a way that on (re)start keys are
renegotiated
with all hosts mentioned in the configuration (presumed not any host is
configured).

Thanks in advance to all who reply.

 

[Steven L Umbach]

I believe that eventfully a new SA should be set up automatically though
offhand I can't remember what time frame to expect. If the Windows Firewall
is enabled on the computer even with the ipsec exemption I am not sure if
that will impede progress or not so if you have that enabled you may want to
temporarily disable it assuming it does not put any computer at risk.
Another thing you could try to speed up the SA is to restart the ipsec
service on the computer that was not restarted as in net stop policyagent
and then net start policy agent. If you have not seen the following links
below from the same white paper yet they are about the best I know of on
Windows ipsec and may give you needed guidance though much will not apply to
your situation a lot still will. Checking the security and application logs
on the computers involved can also give you helpful information. --- Steve

http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/ipsecch7.mspx
http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/ipsecapa.mspx