Can anyone comment on scenario with MODECFG scripts usage in case of IKE
Phase 1 renegotiation. I am using racoon as mVPN client to third party
I've done some tests and found that during ISAKMP-SA renegotiation racoon
create new SA first and then expire old SA later. That is quite
understandable cause renegotiation starting on soft timeout before old SA
become completely dead.
Problem arise with MODECFG came in to equation. phase1_up script triggered
after new SA creation and phase1_down script triggered after release of old
This way death of old SA remove policy and network settings updated earlier
with creation of new SA.
I suppose this problem can be cured by altering scripts but still
interesting on finding community opinion on the subject.
Is it a bug? Is there already any common ways on solving this problem?
Or maybe i've done (use/configure) something wrong? Without "rekey force"
enabled ISAKMP-SA just getting old and being dropped without creation any
new SA. Is it a general way to start mVPN session with "racoonctl vc"?
Maybe 4 minutes of ISAKMP-SA lifetime is just wrong value even for