Greetings,
I have a use case where I want to introduce brand new boxes into a closed network that uses openvpn. These boxes come with a pre-shared (unique) certificates, but do not have a clock that runs on time (they're brand new). And openvpn refuses to acknowledge its packets because they are unacceptably old. With static tunnel keys, I can understand this: you want to protect yourself from replay so you require that both nodes run more or less on the same schedule. But for dynamically negotiated tunnel keys it makes no sense, in my humble opinion: the key is new accross reboots, so you can rely only on counters for replay protection. Can I have an option where I can turn off replay detection using timestamps when not using static keys?
Timestamp checking: sometimes unnecessary or even annoying
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
kjhermans
- OpenVpn Newbie
- Posts: 1
- Joined: Tue Jun 04, 2013 3:43 pm
-
janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: Timestamp checking: sometimes unnecessary or even annoyi
read the manual page and look for 'replay-window' ; most likely
will turn off timestamp checking
Code: Select all
replay-window 64 0