Re: [Ipsec-tools-devel] Status of DPD? (Patch confirmed working!)

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi,

On Fri, 23 Oct 2009, Daniel Zebralla (A.P.E. IT-Security - Hard- & Software Development) wrote:

> Hi,
>
> we encountered a situation where we use Dead Peer Detection (DPD) and have discovered that SAs are not properly deleted. Both sides are configured to use DPD, phase 1 (ISAKMP)-SA is properly deleted, phase 2 (IPSec)-SA are left intact. The latter causes problems when a peer reboots.
>
> It's our understanding from reading RFC 3706 #5.4 that the IPSec-SAs should be deleted too:
> ".an implementation SHOULD assume its peer to be unreachable and delete IPSec and IKE SAs to the peer."
>
> This is currently not the case, at least not with aggressive mode and NAT-T deactivated. A patch was proposed at http://osdir.com/ml/network.ipsec.tools.devel/2008-08/msg00047.html and we can confirm that it works for our situation!
>
> Can you please advise us as of what IPSec-Tools version the patch will be integrated?
>
> We are currently using IPSec-Tools version 0.7.1nb1 that comes with the NetBSD 5.0-release branch.

ipsectools-0.8 snapshots from cvs have fixed this for over a year now.

You can turn on rekeying which will renogiate the phase 2 ipsec SA when
DPD rips away the phase 1 isakmp SA.

Greetings
Christian Kratzer
CK Software GmbH

-- 
Christian Kratzer                      CK Software GmbH
Email:   ck...@ck...                  Schwarzwaldstr. 31
Phone:   +49 7452 889 135              D-71131 Jettingen
Fax:     +49 7452 889 136              HRB 245288, Amtsgericht Stuttgart
Web:     http://www.cksoft.de/         Geschaeftsfuehrer: Christian Kratzer