Date: Tue, 01 Feb 2005 14:19:22 +0000 From: Chris Cowen <chris@wayforth.co.uk> To: freebsd-net@freebsd.org Subject: Re: racoon behaviour when SA expires Message-ID: <41FF8FEA.9050102@wayforth.co.uk> In-Reply-To: <5a500d3088229b5786cedbe82665ece5@meta-x.org> References: <41FA6E06.8040309@wayforth.co.uk> <5a500d3088229b5786cedbe82665ece5@meta-x.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Alex wrote: > Hi Chris, > > SA in IPsec can expire really quick, it depends how often it is required > for SPD key negotiation. Once SPD is established, the SA will be > required only when a new tunnel key is needed. Try to put a really low > delay on both SAD & SPD and turn racoon debug on to see why your SA is > not renegotiated. > A bit more investigation reveals that the SA is re-established but the SPD entries at the remote get dropped. This would explain the half duplex communication I am seeing with tcpdump (ping repsonses get back as far as the remote racoon machine and the lack of SPD means the machine can't route the packet back through the tunnel). I have tried applying the suggested fix in fbsd4/530, which seems to be a similar problem, but this doesn't make any difference, unfortunately. Turning on debug messages seems to alter timings sufficiently that problems are harder to reproduce exactly and/or slightly different problems are encountered. Looks like I'm going to have to have a more detailed look at the source ....
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41FF8FEA.9050102>