#6 racoon restart issue in road warrior mode

closed
nobody
None
5
2009-01-16
2004-01-29
Aidas Kasparas
No

from debian bug #224967
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=224967

From: Jochen Friedrich <jochen@scram.de>

If racoon is set up to accept road warriors (passive
on; generate_policy on),
racoon doesn't remove its owm SPD entries when being
stopped. So if
racoon is restarted, it no longer maintains these
entries so they will
eventually time out and ipsec stops working for those
entries.

To reproduce:

- set up a gateway 1 to accept road warriors. Second
gateway static.
- start ipsec connection from gateway 2 -> ping works.
- stop racoon on gateway 1. -> ping stops. Note that on
gateway 1, the
SPD entries are still there.
- start racoon on gateway 1. -> ping resumes.
- after the SA timeout, the SPD entry will time out as
well and won't be
regenerated. -> ping stops again.

Discussion

  • Logged In: NO

    I had the same problem with the policy not being updated
    after SA timeout. But it also happens without stopping the
    passive gateway in between. This means that automatic
    rekeying does not work with generate_policy=on. The problem
    still exists with kernel 2.6.8.1 and ipsec-tools 0.4rc1 from
    cvs.
    There is however a patch at the KAME-racoon-ML:
    http://www.kame.net/racoon/racoon-ml/msg00607.html
    This fixed the problem for me.

     
  • Logged In: NO

    path pre_shared_key "/etc/preshared.txt" ;

    remote anonymous {
    exchange_mode aggressive;
    peers_identifier user_fqdn "Last101@SQALab.com";
    generate_policy on;
    passive on;
    proposal {
    encryption_algorithm 3des;
    hash_algorithm sha1;
    authentication_method pre_shared_key;
    dh_group 2;
    lifetime time 900 seconds;
    }
    }

    sainfo address 192.168.1.0/24 any address 192.168.2.0/24 any {
    pfs_group 2;
    encryption_algorithm rijndael;
    authentication_algorithm hmac_sha1;
    compression_algorithm deflate;
    lifetime time 600 seconds;
    }

    /etc/preshared.txt
    Last101@SQALab.com 1234

     
  • Logged In: NO

    path pre_shared_key "/etc/preshared.txt" ;

    remote anonymous {
    exchange_mode aggressive;
    peers_identifier user_fqdn "Last101@SQALab.com";
    generate_policy on;
    passive on;
    proposal {
    encryption_algorithm 3des;
    hash_algorithm sha1;
    authentication_method pre_shared_key;
    dh_group 2;
    lifetime time 900 seconds;
    }
    }

    sainfo address 192.168.1.0/24 any address 192.168.2.0/24 any {
    pfs_group 2;
    encryption_algorithm rijndael;
    authentication_algorithm hmac_sha1;
    compression_algorithm deflate;
    lifetime time 600 seconds;
    }

    /etc/preshared.txt
    Last101@SQALab.com 1234

     
  • Timo Teras
    Timo Teras
    2009-01-16

    • status: open --> closed
     
  • Timo Teras
    Timo Teras
    2009-01-16

    Closing all sourceforge.net bugs. If this issue has not been cared for please submit a new bug report to https://trac.ipsec-tools.net/ issue tracker. Thank you.