[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: ipsec-tools-current, -4 and Cisco VPN
On Fri, Jun 06, 2008 at 02:41:00PM +1000, Jason Lingohr wrote:
> Is anyone here using -4 and ipsec-tools-current?
> I'm having a few problems with it -- notably, SPI's don't get deleted
> when a VPN is torn down, and re-keying doesn't seem to work anymore.
If you are talking about stale SAs after a peer reboot -- I had similar
problems with racoon and it seems that the only workaround is some kind
of a ping script which restarts racoon (or does a setkey -F) as soon as
the other peer goes down.
You should also consider racoon2 with ikev2. I replaced racoon with
racoon2 on all our peers and had no stale SAs / rekeying problems since
- Stale SAs, an IPsec/ISAKMP robustness issue
``We are not entirely confident yet whether the use of ISAKMP and
racoon in particular will be robust enough. One possible problem
case is that the server’s and the client’s SA data may not be
always in synchronization. For instance, when the server is
rebooted its SAs are lost, while the client still holds on to
the now stale SAs with the server. The client will continue to
send IPsec packets to the server using the stale SA, whereas the
server does drops those IPsec packets because they don’t match
any of the server’s SAs. The client has no way to notice that
the tunnel is broken and the server does not reinitiate an
ISAKMP negotiation for a new SA.''
- the racoon2 project
- racoon2 for pkgsrc by KAMADA Ken'ichi (a racoon2 developer)
Main Index |
Thread Index |