racoon behaviour when SA expires

From: Chris Cowen (chris_at_wayforth.co.uk)
Date: 01/28/05

  • Next message: Thomas Vogt: "freebsd router project. Problems with polling?" 
    Date: Fri, 28 Jan 2005 16:53:26 +0000
To: freebsd-net@freebsd.org

    Hi

    I am using a VPN in tunnel mode between two sites, using racoon to
    negotiate the SA with x500 certs and everything works well. However,
    when the default SA lifetime of 8 hours (28800 secs) expires, racoon
    will not re-establish connection automatically. I'm using ipv4.

    A workaround is to flush the SPD on both ends, or sometimes, a restart
    of racoon on the remote end is necessary.

    I could increase the lifetime of the SA in racoon.conf, but I'd like it
    to just stay up (or better still, for racoon to renegotiate successfully
    when necessary). BTW can I set lifetime to zero to make the SA last forever?

    I've looked on various mailing lists and there does seem to be a hint that
    racoon's behaviour is slightly odd when SAs expire (although to be fair,
    this is in a post dated 1998 - so it may well have been fixed by now).

    After the problems start, the logs report that the SA is up and well and
    a tcpdump shows that things are partially working. The packets go from
    my local machine, through the tunnel, are decrypted and reach the
    destination machine
    on the remote network. The reply then gets back as far as the remote racoon
    gateway machine and disappears there. There doesn't seem to be any log
    info to explain it's disappearance.

    The (quite poor) diagram below tries to illustrate this:

    local -> localgw ----------------------> remotegw --->remote host
       site a tunnel site b

                                               remotegw<---remote host

                                                ^- gets this far.

    This means that we can't properly deploy our VPN, since it effectively
    stops working after 8 hours (or whatever time we set the lifetime to).

    Anybody seen anything like this before?

    Thanks

    Chris

    _______________________________________________
    freebsd-net@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-net
    To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

  • Next message: Thomas Vogt: "freebsd router project. Problems with polling?"

    Relevant Pages

    • Re: Setting up VPN+IPSec+Racoon
      ... I meant that port, the binary called racoon there, too. ... The serv will connect to the SMS server and get the received SMSes, but the connection to the SMS server is only allowed via VPN. ... I've installed ipsec-tools, and tried to configure it, but I can't start racoon and I get a configuration file parse error. ... # "padding" defines some padding parameters. ...
      (freebsd-questions)
    • racoon/FreeBSD 4.5 problems & observations
      ... so here are my observations wrt racoon and problems with FreeBSD ... While all three nodes were running 4.3, I was able to run the VPN using ... spdadd IPA_addr/32 IPD_addr/32 any -P out ipsec ...
      (FreeBSD-Security)
    • Re: IPSec and Racoon between 5.4 and 4.11
      ... > We have a VPN between two FBSD machines using IPSEC and Racoon. ... I guess there is an issue with running racoon on amd64 at the moment. ...
      (freebsd-questions)
    • Re: Racoon <> VPN Gateway
      ... >> isn't what racoon seems to expect. ... >basically you don't need the gif device configuration when you want ... >to use IPsec tunnel mode. ... and trace packets to the VPN gateway box I see the ESP packet go out ...
      (FreeBSD-Security)
    • RE: Racoon IPSEC issues
      ... I started having this problem with a win2k-freebsd4.4 setup. ... BTW any idea how to roll back to racoon 20010831a? ... and the 3 newest VPN don't work. ... with "unsubscribe freebsd-security" in the body of the message ...
      (FreeBSD-Security)