#9 Policy lifetime rekey margin

closed
nobody
None
5
2009-01-16
2006-08-03
No

FreeS/WAN has a nice configuration option for policies
named "rekeymargin":

http://www.freeswan.org/freeswan_trees/freeswan-1.5/doc/manpage.d/ipsec.conf.5.html

"how long before SA (and key) expiry should
attempts to negotiate replacements begin; acceptable
values as for keylife (default 9m)"

This way, when a security association is about to
expire, FreeS/WAN initiates a new negotiation to create
a new, replacement association. This way, there's no
tunnel downtime.

Racoon doesn't handle this problem at all, which causes
packet loss every time an association expires (!!!).

This is also due to the lack of a second feature in
racoon/ipsec-tools: deferral of connections/packets
until a tunnel is established (see
https://sourceforge.net/tracker/index.php?func=detail&aid=1101806&group_id=74601&atid=541485\).

Currently, with ipsec-tools, when there's no active
association present, for all packets, ipsec-tools
simply return a "connect: Resource temporarily
unavailable" error and this usually results in raising
application-level errors, until a new security
association is negotiated (which can take several seconds).

So to summarize:
1) ipsec-tools handle the "lack of association" problem
very unelegantly - returnin errors instead of queueing
packets until an association is established (the
feature request no. 1101806)
2) racoon lacks a feature to proactively establish new
associations before old ones expire (this feature request).

FreeS/WAN handles this much better.

Discussion

  • Logged In: YES
    user_id=105392

    Problem 1: Racoon generates SAs with a soft lifetime of 80%
    of hard lifetime, and SAs *are* renegociated when old SAs
    goes dying (or tell us more about your configuration).

    Problem 2: processing packets to encapsulate is *not* a
    racoon problem, it is a kernel issue.

     
  • Timo Teras
    Timo Teras
    2009-01-16

    Closing all sourceforge.net bugs. If this issue has not been cared for please submit a new bug report to https://trac.ipsec-tools.net/ issue tracker. Thank you.

     
  • Timo Teras
    Timo Teras
    2009-01-16

    • status: open --> closed