Date: Fri, 28 Jan 2005 16:53:26 +0000 From: Chris Cowen <chris@wayforth.co.uk> To: freebsd-net@freebsd.org Subject: racoon behaviour when SA expires Message-ID: <41FA6E06.8040309@wayforth.co.uk>
next in thread | raw e-mail | index | archive | help
Hi I am using a VPN in tunnel mode between two sites, using racoon to negotiate the SA with x500 certs and everything works well. However, when the default SA lifetime of 8 hours (28800 secs) expires, racoon will not re-establish connection automatically. I'm using ipv4. A workaround is to flush the SPD on both ends, or sometimes, a restart of racoon on the remote end is necessary. I could increase the lifetime of the SA in racoon.conf, but I'd like it to just stay up (or better still, for racoon to renegotiate successfully when necessary). BTW can I set lifetime to zero to make the SA last forever? I've looked on various mailing lists and there does seem to be a hint that racoon's behaviour is slightly odd when SAs expire (although to be fair, this is in a post dated 1998 - so it may well have been fixed by now). After the problems start, the logs report that the SA is up and well and a tcpdump shows that things are partially working. The packets go from my local machine, through the tunnel, are decrypted and reach the destination machine on the remote network. The reply then gets back as far as the remote racoon gateway machine and disappears there. There doesn't seem to be any log info to explain it's disappearance. The (quite poor) diagram below tries to illustrate this: local -> localgw ----------------------> remotegw --->remote host site a tunnel site b remotegw<---remote host ^- gets this far. This means that we can't properly deploy our VPN, since it effectively stops working after 8 hours (or whatever time we set the lifetime to). Anybody seen anything like this before? Thanks Chris
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41FA6E06.8040309>