From: Christian K. <ck...@ck...> - 2009-10-27 19:42:08
|
Hi, On Fri, 23 Oct 2009, Daniel Zebralla (A.P.E. IT-Security - Hard- & Software Development) wrote: > Hi, > > we encountered a situation where we use Dead Peer Detection (DPD) and have discovered that SAs are not properly deleted. Both sides are configured to use DPD, phase 1 (ISAKMP)-SA is properly deleted, phase 2 (IPSec)-SA are left intact. The latter causes problems when a peer reboots. > > It's our understanding from reading RFC 3706 #5.4 that the IPSec-SAs should be deleted too: > ".an implementation SHOULD assume its peer to be unreachable and delete IPSec and IKE SAs to the peer." > > This is currently not the case, at least not with aggressive mode and NAT-T deactivated. A patch was proposed at http://osdir.com/ml/network.ipsec.tools.devel/2008-08/msg00047.html and we can confirm that it works for our situation! > > Can you please advise us as of what IPSec-Tools version the patch will be integrated? > > We are currently using IPSec-Tools version 0.7.1nb1 that comes with the NetBSD 5.0-release branch. ipsectools-0.8 snapshots from cvs have fixed this for over a year now. You can turn on rekeying which will renogiate the phase 2 ipsec SA when DPD rips away the phase 1 isakmp SA. Greetings Christian Kratzer CK Software GmbH -- Christian Kratzer CK Software GmbH Email: ck...@ck... Schwarzwaldstr. 31 Phone: +49 7452 889 135 D-71131 Jettingen Fax: +49 7452 889 136 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer |