Hello,

I have succussfully established an IPSec VPN between a Linux server and a Windows 2000 host.
The IPSec is in transport mode,

Linux server ip is 10.10.10.110
Windows 2000 host ip is 10.10.10.100


The configuration on the Linux server :
---------------------------------------

racoon.conf :
-------------

# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.

path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

sainfo anonymous
{
 pfs_group 2;
 lifetime time 3600 sec ;
 encryption_algorithm des, 3des, blowfish 448, rijndael ;
 authentication_algorithm hmac_sha1, hmac_md5 ;
 compression_algorithm deflate ;
}
include "/etc/racoon/10.10.10.100.conf";


/etc/racoon/10.10.10.100.conf :
-------------------------------

remote 10.10.10.100
{
 exchange_mode main;
 my_identifier address;
 lifetime time 1440 min;
 proposal {
         encryption_algorithm 3des;
  hash_algorithm sha1;
  authentication_method pre_shared_key;
  dh_group 2 ;
 }
}


The configuration on the Windows 2000 host :
--------------------------------------------

ipsecpol -f 0+10.10.10.110 -n ESP[3DES,SHA]3600SPFS2 -a PRESHARE:"xxxxxxxx" -lan -1s 3DES-SHA-2 -1k 86400S -1p -p "VPN1" -c


Everything was working fine, so I decided to test the VPN, I rebooted the Linux server, when it came back up,
I verified that the IKE/IPSec configuration survived the reboot using the command "/sbin/setkey -D -P" and indeed
the data was there.

I used Ethereal to sniff the network and I saw that the application I ran on the Windows 2000 host was constatly
sending packets to the Linux server (it was trying to reconnect to its server which runs on the Linux server),
and the spi of the packets was the old spi - which is also fine.

The Linux got the packets but ignored them - shouldn't the racoon be notified by a trap from the IPSec in kernel
that it should send a delete notification to the other side and them start main mode again to re-establish keys ?

What do I have to do in order to retain the VPN connection in such a scenario (the server reboots and the client
keeps sending the data to the server with the old spi) ?

Thank you :-)

Itay