racoon behaviour when SA expires

[Chris Cowen]

Hi

I am using a VPN in tunnel mode between two sites, using racoon to 
negotiate the SA with x500 certs and everything works well. However,
when the default SA lifetime of 8 hours (28800 secs) expires, racoon 
will not re-establish connection automatically. I'm using ipv4.

A workaround is to flush the SPD on both ends, or sometimes, a restart 
of racoon on the remote end is necessary.

I could increase the lifetime of the SA in racoon.conf, but I'd like it 
to just stay up (or better still, for racoon to renegotiate successfully 
when necessary). BTW can I set lifetime to zero to make the SA last forever?

I've looked on various mailing lists and there does seem to be a hint that
racoon's behaviour is slightly odd when SAs expire (although to be fair, 
this is in a post dated 1998 - so it may well have been fixed by now).

After the problems start, the logs report that the SA is up and well and 
a tcpdump shows that things are partially working. The packets go from 
my local machine, through the tunnel, are decrypted and reach the 
destination machine
on the remote network. The reply then gets back as far as the remote racoon
gateway machine and disappears there. There doesn't seem to be any log 
info to explain it's disappearance.

The (quite poor) diagram below tries to illustrate this:

local -> localgw ----------------------> remotegw --->remote host
   site a                  tunnel                  site b

                                           remotegw<---remote host

					    ^- gets this far.


This means that we can't properly deploy our VPN, since it effectively 
stops working after 8 hours (or whatever time we set the lifetime to).


Anybody seen anything like this before?

Thanks

Chris