FreeS/WAN has a nice configuration option for policies
"how long before SA (and key) expiry should
attempts to negotiate replacements begin; acceptable
values as for keylife (default 9m)"
This way, when a security association is about to
expire, FreeS/WAN initiates a new negotiation to create
a new, replacement association. This way, there's no
Racoon doesn't handle this problem at all, which causes
packet loss every time an association expires (!!!).
This is also due to the lack of a second feature in
racoon/ipsec-tools: deferral of connections/packets
until a tunnel is established (see
Currently, with ipsec-tools, when there's no active
association present, for all packets, ipsec-tools
simply return a "connect: Resource temporarily
unavailable" error and this usually results in raising
application-level errors, until a new security
association is negotiated (which can take several seconds).
So to summarize:
1) ipsec-tools handle the "lack of association" problem
very unelegantly - returnin errors instead of queueing
packets until an association is established (the
feature request no. 1101806)
2) racoon lacks a feature to proactively establish new
associations before old ones expire (this feature request).
FreeS/WAN handles this much better.