[Ipsec-tools-devel] reconnecting after ISAKMP-SA deleted

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi,

I have   LAN1 <--> GW1  <---> GW2 <--> LAN2.

Everything works fine when startup racoon on Both GW1 and GW2.

If i restart GW2,  then  GW1 racoon  has the messages:

2008-06-03 15:02:56: INFO: isakmp.c:3089:purge_remote(): purging 
ISAKMP-SA spi=5eb0062f189a248c:0e5fd9f9dc3deb55.
2008-06-03 15:02:56: DEBUG: pfkey.c:300:pfkey_dump_sadb(): call 
pfkey_send_dump
2008-06-03 15:02:56: INFO: isakmp.c:3214:purge_remote(): purged 
ISAKMP-SA spi=5eb0062f189a248c:0e5fd9f9dc3deb55.
2008-06-03 15:02:56: DEBUG: isakmp_inf.c:1410:isakmp_info_recv_d(): 
purged SAs.
2008-06-03 15:02:57: INFO: isakmp.c:1925:isakmp_ph1delete(): ISAKMP-SA 
deleted 192.168.10.54[500]-192.168.10.232[500] 
spi:5eb0062f189a248c:0e5fd9f9dc3deb55

pinging from LAN1 to LAN2  will *not* restart the tunnel.    pinging 
from LAN2 to LAN1 will restart the tunnel because GW2 initiates the 
connection.

I restart both GW1 and GW2, everything works fine.    If i do racoonctl 
vpn-connect 192.168.10.232  from GW1 it will also reconnect correctly.   
Ideally i would like it to reconnect automatically.   I  have tried 
ipsec-tools  0.6.6 , 0.6.7 and 0.7    with the same results.     How 
make reconnection happen automatically,  some kind of racoon 
configuration opt I'm missing?

My racoon.conf is

path pre_shared_key "/etc/racoon/psk.txt";

remote 192.168.10.54 {
        proposal {
                 encryption_algorithm 3des;
                 hash_algorithm sha1;
                 authentication_method pre_shared_key;
                 dh_group 1;
        }
        nat_traversal on;
        lifetime time 86400 secs;
        peers_identifier address;
        exchange_mode main;
}
sainfo address 192.168.30.0/24 any address 192.168.19.0/24 any {
         encryption_algorithm 3des;
         authentication_algorithm hmac_sha1;
         lifetime time 28800 secs;
         compression_algorithm deflate;
}

----------------

# Security policies
spdadd 192.168.19.0/24 192.168.30.0/24 any -P in ipsec
           esp/tunnel/192.168.10.54-192.168.10.232/require;

spdadd 192.168.30.0/24 192.168.19.0/24 any -P out ipsec
           esp/tunnel/192.168.10.232-192.168.10.54/require;

Thanks,

karl