From owner-freebsd-net@FreeBSD.ORG Fri Jan 28 16:54:01 2005 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 42A0216A4CE for ; Fri, 28 Jan 2005 16:54:01 +0000 (GMT) Received: from heisenberg.zen.co.uk (heisenberg.zen.co.uk [212.23.3.141]) by mx1.FreeBSD.org (Postfix) with ESMTP id C7EA843D45 for ; Fri, 28 Jan 2005 16:54:00 +0000 (GMT) (envelope-from chris@wayforth.co.uk) Received: from [82.69.161.254] (helo=[192.168.168.119]) by heisenberg.zen.co.uk with esmtp (Exim 4.30) id 1CuZNf-0004oG-Kp for freebsd-net@freebsd.org; Fri, 28 Jan 2005 16:53:59 +0000 Message-ID: <41FA6E06.8040309@wayforth.co.uk> Date: Fri, 28 Jan 2005 16:53:26 +0000 From: Chris Cowen User-Agent: Mozilla Thunderbird 0.9 (X11/20041124) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-net@freebsd.org X-Enigmail-Version: 0.89.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Originating-Heisenberg-IP: [82.69.161.254] Subject: racoon behaviour when SA expires X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jan 2005 16:54:01 -0000 Hi I am using a VPN in tunnel mode between two sites, using racoon to negotiate the SA with x500 certs and everything works well. However, when the default SA lifetime of 8 hours (28800 secs) expires, racoon will not re-establish connection automatically. I'm using ipv4. A workaround is to flush the SPD on both ends, or sometimes, a restart of racoon on the remote end is necessary. I could increase the lifetime of the SA in racoon.conf, but I'd like it to just stay up (or better still, for racoon to renegotiate successfully when necessary). BTW can I set lifetime to zero to make the SA last forever? I've looked on various mailing lists and there does seem to be a hint that racoon's behaviour is slightly odd when SAs expire (although to be fair, this is in a post dated 1998 - so it may well have been fixed by now). After the problems start, the logs report that the SA is up and well and a tcpdump shows that things are partially working. The packets go from my local machine, through the tunnel, are decrypted and reach the destination machine on the remote network. The reply then gets back as far as the remote racoon gateway machine and disappears there. There doesn't seem to be any log info to explain it's disappearance. The (quite poor) diagram below tries to illustrate this: local -> localgw ----------------------> remotegw --->remote host site a tunnel site b remotegw<---remote host ^- gets this far. This means that we can't properly deploy our VPN, since it effectively stops working after 8 hours (or whatever time we set the lifetime to). Anybody seen anything like this before? Thanks Chris