racoon behaviour when SA expires
Chris Cowen
chris at wayforth.co.uk
Tue Feb 1 06:19:27 PST 2005
Alex wrote:
> Hi Chris,
>
> SA in IPsec can expire really quick, it depends how often it is required
> for SPD key negotiation. Once SPD is established, the SA will be
> required only when a new tunnel key is needed. Try to put a really low
> delay on both SAD & SPD and turn racoon debug on to see why your SA is
> not renegotiated.
>
A bit more investigation reveals that the SA is re-established but the
SPD entries at the remote get dropped. This would explain the half duplex
communication I am seeing with tcpdump (ping repsonses get back as far
as the remote racoon machine and the lack of SPD means the machine can't
route the packet back through the tunnel).
I have tried applying the suggested fix in fbsd4/530, which seems to be
a similar problem, but this doesn't make any difference, unfortunately.
Turning on debug messages seems to alter timings sufficiently that
problems are harder to reproduce exactly and/or slightly different
problems are encountered.
Looks like I'm going to have to have a more detailed look at the source ....
More information about the freebsd-net
mailing list