Browse code
--reneg-sec clarification in man page. Should be added to 2.0.x branch as well.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@1606 e7ae566f-a301-0410-adde-c780ea21d3b5
james authored on 2006/12/24 19:38:56Showing 1 changed files
| ... | ... |
@@ -3860,6 +3860,19 @@ packets sent and received (disabled by default). |
| 3860 | 3860 |
Renegotiate data channel key after |
| 3861 | 3861 |
.B n |
| 3862 | 3862 |
seconds (default=3600). |
| 3863 |
+ |
|
| 3864 |
+When using dual-factor authentication, note that this default value may |
|
| 3865 |
+cause the end user to be challenged to reauthorize once per hour. |
|
| 3866 |
+ |
|
| 3867 |
+Also, keep in mind that this option can be used on both the client and server, |
|
| 3868 |
+and whichever uses the lower value will be the one to trigger the renegotiation. |
|
| 3869 |
+A common mistake is to set |
|
| 3870 |
+.B --reneg-sec |
|
| 3871 |
+to a higher value on either the client or server, while the other side of the connection |
|
| 3872 |
+is still using the default value of 3600 seconds, meaning that the renegotiation will |
|
| 3873 |
+still occur once per 3600 seconds. The solution is to increase --reneg-sec on both the |
|
| 3874 |
+client and server, or set it to 0 on one side of the connection (to disable), and to |
|
| 3875 |
+your chosen value on the other side. |
|
| 3863 | 3876 |
.\"********************************************************* |
| 3864 | 3877 |
.TP |
| 3865 | 3878 |
.B --hand-window n |