Subject: Re: racoon fails to renew its keys ?
To: Mihai CHELARU <>
From: Greg Troxel <>
List: current-users
Date: 02/26/2003 08:14:06
  I set the lifetime for keys to 10 minutes. Launching racoon, it 
  generates the pairs, after 10 minutes it gives the expire/delete 
  messages to syslog and nothing after. Is it failing to renew its keys 
  every 10 minutes ?

I am more familiar with an older KAME racoon snap, but SAs are created
on demand (you didn't mention if there was traffic hitting an SPD
entry causing the original SA).  When an expire occurs (at 80% of
lifetime, typically), racoon will negotiate a replacement SA if the
previous SA had been used.  If the previous SAs have not been used,
they are simply allowed to expire.

Earlier versions of racoon negotiated new SAs whether the old ones had
been used or not, and this caused a lot of wasted/duplicate SAs.

I don't know what happens if the SA had not been used and is used
after the expire but before the SA hits the hard lifetime.  I suspect
no new SA is negotiated until the originals time out and the next
packet hits the SPD entry and finds no SA.

Racoon config file, SPD contents, and precise details of what traffic
was sent, what happened and what your expectations were are needed in
order to understand where the problem really is; I have just guessed
above based on inadequate information.

        Greg Troxel <>