racoon behaviour when SA expires
Crist J. Clark
cristjc at comcast.net
Tue Feb 1 22:50:49 PST 2005
On Tue, Feb 01, 2005 at 02:19:22PM +0000, Chris Cowen wrote:
> Alex wrote:
> >Hi Chris,
> >
> >SA in IPsec can expire really quick, it depends how often it is required
> >for SPD key negotiation. Once SPD is established, the SA will be
> >required only when a new tunnel key is needed. Try to put a really low
> >delay on both SAD & SPD and turn racoon debug on to see why your SA is
> >not renegotiated.
> >
>
> A bit more investigation reveals that the SA is re-established but the
> SPD entries at the remote get dropped. This would explain the half duplex
> communication I am seeing with tcpdump (ping repsonses get back as far
> as the remote racoon machine and the lack of SPD means the machine can't
> route the packet back through the tunnel).
IIRC, the problem occurs when racoon(8) is set to "create policy" on the
fly. What happens is that when the SA gets stale, but before it expires,
racoon(8) creates a new SA. But since there is an existing entry in the
SPD, a new one is cannot made. When the old SA times out, the its
accompanying SPD entry is killed, leaving no SPD entry at all.
--
Crist J. Clark | cjclark at alum.mit.edu
More information about the freebsd-net
mailing list