netbsd-users: racoon and DPD - am I misunderstanding something?

Subject: racoon and DPD - am I misunderstanding something?
To: None <netbsd-users@NetBSD.org>
From: Jeff Rizzo <riz@tastylime.net>
List: netbsd-users
Date: 08/04/2006 15:56:39
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigF2FB01C9FE402D0F58822427
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Hi-

I've got a somewhat interesting setup on NetBSD 3.0_STABLE in which I
have a bunch of remote devices that I want to be able to copy files back
to a 'mothership' host on a port which has been secured with ipsec.  In
the ordinary case, I've got everything working - racoon negotiates keys,
and the copies proceed smoothly.

However, if the mothership reboots (or even if racoon is restarted), the
remotes are no longer able to communicate with the mothership until
their racoon is restarted as well.

I've tried adding "dpd_delay 2" (yes, I realize it's too quick, but I
wanted to make testing go quickly) to the remotes' racoon.conf, and when
debugging on the server in normal operation, I see the DPD R-U-There
packets;  however, it doesn't seem to actually cause the remote's racoon
to renegotiate after the server's racoon goes away.

Complicating factors:  the remotes initiate all the transfers;  the
server will never try to contact a remote.  I only have ipsec protecting
port 6666 to the server.

/etc/ipsec.conf looks like this on the remotes:

spdadd 0.0.0.0/0 mothership[6666] tcp -P out ipsec ah/transport//require;=

spdadd mothership[6666] 0.0.0.0/0  tcp -P in ipsec ah/transport//require;=


=2E..and like this on the mothership (192.168.1.78):

# prevent SA being established to local host
spdadd 192.168.1.78[6666] 192.168.1.78 tcp -P out none;
spdadd 192.168.1.78 192.168.1.78[6666] tcp -P in none;

spdadd 192.168.1.78[6666] 0.0.0.0/0  tcp -P out ipsec ah/transport//requi=
re;
spdadd 0.0.0.0/0 192.168.1.78[6666] tcp -P in ipsec ah/transport//require=
;


Does anyone have any ideas how to address this?  I've "worked around"
the issue temporarily by making the remotes restart racoon if the
transfers fail, but that's Really Ugly, and I'd rather get this working
right.

Thanks,
+j



--------------enigF2FB01C9FE402D0F58822427
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQCVAwUBRNPQrLOuUtxCgar5AQPXYQP/RM/1OuhgbprYw2B/RQ37FSNV0WPfSvYv
tKYV9jaTqafFGA4aacAry7A3rbubKDqrVRF6F6Vt4p8zHBaiN96+V7v8sfz1hHJ0
eQ5TWLjtI57VVkRHYV9cdEhsEpjtbL/kA9k7bQovKAJ+vLrZceP25Uj1cHpj6rSY
ZCeS8zr+lQw=
=+i8G
-----END PGP SIGNATURE-----

--------------enigF2FB01C9FE402D0F58822427--