Re: ipsec-tools-current, -4 and Cisco VPN

[Petar Bogdanovic <petar%smokva.net@localhost>]

On Fri, Jun 06, 2008 at 02:41:00PM +1000, Jason Lingohr wrote:
>
> Is anyone here using -4 and ipsec-tools-current?
>
> I'm having a few problems with it -- notably, SPI's don't get deleted  
> when a VPN is torn down, and re-keying doesn't seem to work anymore.

If you are talking about stale SAs after a peer reboot -- I had similar
problems with racoon and it seems that the only workaround is some kind
of a ping script which restarts racoon (or does a setkey -F) as soon as
the other peer goes down.

You should also consider racoon2 with ikev2. I replaced racoon with
racoon2 on all our peers and had no stale SAs / rekeying problems since
then.


Petar


- Stale SAs, an IPsec/ISAKMP robustness issue

``We are not entirely confident yet whether the use of ISAKMP and
  racoon in particular will be robust enough. One possible problem
  case is that the server’s and the client’s SA data may not be
  always in synchronization. For instance, when the server is
  rebooted its SAs are lost, while the client still holds on to
  the now stale SAs with the server. The client will continue to
  send IPsec packets to the server using the stale SA, whereas the
  server does drops those IPsec packets because they don’t match
  any of the server’s SAs. The client has no way to notice that
  the tunnel is broken and the server does not reinitiate an
  ISAKMP negotiation for a new SA.''

  
http://www.usenix.org/events/bsdcon/full_papers/schadow/schadow_html/index.html


- the racoon2 project

  http://www.racoon2.wide.ad.jp/w/


- racoon2 for pkgsrc by KAMADA Ken'ichi (a racoon2 developer)

  http://www.scythe.jp/lab/racoon2/index.html